wannacry | 4ab406ce81ed10decae495f738866ec47c46c299798ccb74953f849001d1cffa

Analysis

max time kernel
1200s
max time network
1088s
platform
windows10-2004_x64
resource
win10v2004-20240611-fr
resource tags

arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
21-06-2024 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Resourcify (1.16.x-fabric)-1.4.0.jar
Size

2.4MB
MD5

77aa760b2d4433ed4102510439c3c3d8
SHA1

a0c0de72c9de1fbe92bb9a008ab30661dbf45c0c
SHA256

4ab406ce81ed10decae495f738866ec47c46c299798ccb74953f849001d1cffa
SHA512

daec27574102cf186b35366c9ee17652306179695390ccbef4c05157c6e37ce8757e0b01909bdf35d242276155e50c490b226eed6feaf91e14a0ebb875ea7442
SSDEEP

49152:1W7xRofUXTgEti/kzu+CRWyaCFNlFhsa6xkc1VH4EUACocNfCIBVEdO8GmJ:1WVRo8LtuK6Uai1VYEUA3ckTOLmJ

Score

10^/10

wannacry defense_evasion discovery execution impact ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5F27.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5F2E.tmp	[email protected]

Executes dropped EXE 5 IoCs

pid	Process
6764	taskdl.exe
6740	@[email protected]
1916	@[email protected]
6456	taskhsvc.exe
5712	@[email protected]

Loads dropped DLL 9 IoCs

pid	Process
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2124	icacls.exe
824	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
366	raw.githubusercontent.com
327	camo.githubusercontent.com
329	camo.githubusercontent.com
331	camo.githubusercontent.com
337	camo.githubusercontent.com
363	raw.githubusercontent.com
364	raw.githubusercontent.com
365	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\1848681917.pri	LogonUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634838777924256"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{0A1CAC8B-3227-4E75-AD55-8F4F4C222CAE}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "3"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{B593EC96-F890-45F6-9357-7414F3E51EB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3208	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
2372	chrome.exe
2372	chrome.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
6456	taskhsvc.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
6172	msedge.exe
6172	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found
4828	Process not Found
6160	Process not Found
2356	Process not Found
3284	Process not Found
6908	Process not Found
5172	Process not Found
5256	Process not Found
4800	Process not Found
2396	Process not Found
5968	Process not Found
2908	Process not Found
6488	Process not Found
6520	Process not Found
5124	Process not Found
5040	Process not Found
2100	Process not Found
5732	Process not Found
5372	Process not Found
2220	Process not Found
2664	Process not Found
4832	Process not Found
4136	Process not Found
6448	Process not Found
6924	Process not Found
6168	Process not Found
6600	Process not Found
1228	Process not Found
5240	Process not Found
5352	Process not Found
2840	Process not Found
4216	Process not Found
4548	Process not Found
6388	Process not Found
2788	Process not Found
3136	Process not Found
1280	Process not Found
4004	Process not Found
3960	Process not Found
5820	Process not Found
3480	Process not Found
2336	Process not Found
1384	Process not Found
6188	Process not Found
4616	Process not Found
3020	Process not Found
4944	Process not Found
4424	Process not Found
1568	Process not Found
1888	Process not Found
5332	Process not Found
392	Process not Found
6460	Process not Found
5016	Process not Found
6936	Process not Found
5892	Process not Found
1436	Process not Found
3744	Process not Found
1100	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1780	msedge.exe
1780	msedge.exe
6172	msedge.exe
6172	msedge.exe
6172	msedge.exe
6172	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe
4404	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
4856	firefox.exe
6740	@[email protected]
6740	@[email protected]
1916	@[email protected]
1916	@[email protected]
5712	@[email protected]
5712	@[email protected]
5280	LogonUI.exe
5280	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 2124	4136	java.exe	92
PID 4136 wrote to memory of 2124	4136	java.exe	92
PID 1948 wrote to memory of 2980	1948	chrome.exe	104
PID 1948 wrote to memory of 2980	1948	chrome.exe	104
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 4876	1948	chrome.exe	105
PID 1948 wrote to memory of 3856	1948	chrome.exe	106
PID 1948 wrote to memory of 3856	1948	chrome.exe	106
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107
PID 1948 wrote to memory of 216	1948	chrome.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4560	attrib.exe
3680	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Resourcify (1.16.x-fabric)-1.4.0.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0c14ab58,0x7ffe0c14ab68,0x7ffe0c14ab78
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:2
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4068 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:8
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1136 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 --field-trial-handle=604,i,15840813826623067827,7730957813399639117,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --field-trial-handle=2816,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=4220 /prefetch:8
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdc3cbfechf45eh4be9h8dd8h447a37f23dd8
1⤵
PID:5640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:5124

C:\Windows\System32\FodHelper.exe
C:\Windows\System32\FodHelper.exe -Embedding
1⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.0.2013657389\1687939466" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22166 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71d36e6c-bf4f-4aee-9c3f-51559435ef03} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 1852 231fd007158 gpu
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.1.1877355022\495741159" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22202 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca63f75-f172-4f29-ade4-3eb666a30148} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2420 231e8e89958 socket
    3⤵
    - Checks processor information in registry
    PID:1132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.2.86208637\1630494056" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 2728 -prefsLen 22240 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9707b576-5854-4c6c-8485-af735a16a94a} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2720 23182017958 tab
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.3.384009762\2136277664" -childID 2 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 27614 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dba53c61-8b03-49a8-b057-6a5f06b0d814} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 3884 23184054858 tab
    3⤵
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.4.1658826672\1724588737" -childID 3 -isForBrowser -prefsHandle 4712 -prefMapHandle 4104 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c8786a5-0d16-42af-af6e-26015ecd702f} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 4748 23186f9df58 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.5.1949780678\658312969" -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa0dae57-8536-40a7-a50f-b52744ebf30d} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5508 23186ff4858 tab
    3⤵
    PID:632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.6.1722719789\695638471" -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27538 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e74f1bec-a6fb-4742-a48d-745fd3ca7b02} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5416 23186ff2d58 tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.7.380545515\919534549" -childID 6 -isForBrowser -prefsHandle 5704 -prefMapHandle 5832 -prefsLen 28018 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68b66bb9-b02f-40c3-9cc8-276742f20c91} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5460 2318508b658 tab
    3⤵
    PID:5928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.8.1894586143\1971047133" -parentBuildID 20230214051806 -prefsHandle 9900 -prefMapHandle 9904 -prefsLen 28018 -prefMapSize 235091 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c566046d-a405-4177-a658-093e7bc75f7f} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 9876 231867f7758 rdd
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.9.1196052208\276767118" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 9884 -prefMapHandle 9892 -prefsLen 28018 -prefMapSize 235091 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a4d30b2-d868-4f65-ba7d-f09ac16ad93b} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 9848 231867f8958 utility
    3⤵
    PID:1664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.10.1494490582\534985439" -childID 7 -isForBrowser -prefsHandle 9552 -prefMapHandle 9556 -prefsLen 28018 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2316f5df-1763-4928-ae8b-a0e00b0ae616} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 9572 2318508ce58 tab
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.11.339587167\1400771107" -childID 8 -isForBrowser -prefsHandle 9352 -prefMapHandle 9408 -prefsLen 28018 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d14a7587-481e-461d-8f33-a2c6c4ac0b30} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 9364 231879e3558 tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.12.1024048851\1875281346" -childID 9 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 28018 -prefMapSize 235091 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31dcc35a-3597-41d3-a198-38994de780ec} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5816 231820c7058 tab
    3⤵
    PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault62e1eed5h91a8h41b9h97d1h81897b1df726
1⤵
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:5244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding
1⤵
PID:5796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7032

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:5700
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:4560
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:824
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 220961719010649.bat
  2⤵
  PID:6796
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:6548
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3680
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6740
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:6456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:6620
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:6084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6868

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.wikipedia.org/wiki/Bitcoin
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
  2⤵
  PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --field-trial-handle=4464,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:8
1⤵
PID:3944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:6808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:6800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:6844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:6892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:7008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:7004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\InitializeClose.vbs"
1⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=2140,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:1
1⤵
PID:6300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3884,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=784 /prefetch:1
1⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --field-trial-handle=5320,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
1⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5472,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8
1⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --field-trial-handle=5820,i,14543288286183039156,17771831241808852756,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
1⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffe02e54ef8,0x7ffe02e54f04,0x7ffe02e54f10
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2280,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --field-trial-handle=2008,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=3424 /prefetch:3
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --field-trial-handle=2364,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --field-trial-handle=4456,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --field-trial-handle=4456,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4972,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:6688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4980,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --field-trial-handle=5564,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5568,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --field-trial-handle=6124,i,3312217389849087811,10231178968950763392,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  PID:6872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:6172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffe02e54ef8,0x7ffe02e54f04,0x7ffe02e54f10
    3⤵
    PID:5536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2372,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --field-trial-handle=1820,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=2804 /prefetch:3
    3⤵
    PID:3048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=fr --service-sandbox-type=service --field-trial-handle=2192,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --field-trial-handle=4480,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
    3⤵
    PID:6560
- - C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=fr --service-sandbox-type=none --field-trial-handle=4480,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
    3⤵
    PID:4120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=4640 /prefetch:1
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=fr --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5008,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:8
    3⤵
    PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=fr --service-sandbox-type=asset_store_service --field-trial-handle=5020,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5452,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5528,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --pdf-upsell-enabled --enable-dinosaur-easter-egg-alt-images --lang=fr --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5732,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=fr --service-sandbox-type=none --field-trial-handle=564,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:6516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=fr --service-sandbox-type=none --field-trial-handle=2012,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
    3⤵
    PID:6512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=fr --service-sandbox-type=service --field-trial-handle=3296,i,1163747525870010441,2152448185301401530,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:8
    3⤵
    PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
PID:6460

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
PID:4316

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3564

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2956
- C:\Windows\system32\net.exe
  net user
  2⤵
  PID:2044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user
    3⤵
    PID:4120
- C:\Windows\system32\net.exe
  net user admin *
  2⤵
  PID:6480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user admin *
    3⤵
    PID:4624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fd0855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
593f4392fe93a2712c898b7956bbc464

SHA1
712b7f634851db04bf0c50c03378950103518d7b

SHA256
1d7fa4cdcfca87a1d5ecf7857597a204fe19a25c28e3b7bd774e73dba8ee781b

SHA512
cfeb3d55b1000b903a735f241b6af2e06a79480bf11a9e26397d26fa07f916053a57a5871ea0b5cfca63e6e72b43c783119a82da2ccbda18047f57815f7a2987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\60b3e7cd-76a6-472b-b8d6-ee947b6ef9fc.tmp

Filesize
279KB

MD5
e1cd4fc316e0790366d65382653696e3

SHA1
682def2a1c7c54ad6ccf75cc81bf4f8dc7ee796b

SHA256
25cfe1d8224b5801f385526647afd8625ffb7b58f93ea72e46a947ef17c75077

SHA512
c1956ff7c23406b93ac89adf4a3ccc9fc97003c25d29b4f8504983d1e76c17ea8afe0512d2fd34380afa7c26e28b2e2d64cb1c71a41aba39d760ffc852e37e29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
01bd74cac1b3b941039227c962a6bdf6

SHA1
549c54a58c0b16494fcf418ce99831b2197c9958

SHA256
123ec04c4f50d154b8b0b3fc16dc166a4f4718e1448b4e1b056a4542863d0b41

SHA512
2f08db749e136dcb2a4d2ed8615ce9aad201c576fba1e3d7a6ba5d4ace1168b817654682ffa215c076619c0ed92e17646f7278fe8ee41d5d2e9b1514ef9572fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d39040f6efd2292dab793c80ada57e62

SHA1
dd0ed15da97465fe7814adf5fb8a77a0a12a78af

SHA256
28bb3cdd02f318c1cffd209a9b8846b79c29504370cc8d72bce39028c7051e09

SHA512
16b18b1639d521880322d5ac0ee38adf9ff1ad9c95b4a02c79e04bee4356cc8ad94691057d797b192217c878f83ead4e4ed8091f9c14d2155c932cb2c3236363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
07cccc831dc7b954f6a3103767deb574

SHA1
4d1b455bf8c650c20e9b075c6a8da37a7f6de18b

SHA256
698a2a8a97f768433e934d4050901f2febfe459df2b42cb3178840f342f5b870

SHA512
d1a003e7ec901735cbfd0dff2f1596a2145b73e50d91a3b414ad936bb1c48fc9112cc06903acd310707358794422e241dac0d4f85e6207e3fba65a6f7f973754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3303188a44eebdfcc93631165e8c8c2b

SHA1
903c15e59aadcad93da356d5d034d1d07b4f33d9

SHA256
668ac8249c326d17261e4267677a3961e92118a9e581c454ffb59f58195a3cfe

SHA512
fe5b7502a961816c7f2c8eb80a0629c9fa885a4e660a29e9c0a50ade156266101d2942826bdeb7fbbe89c0168369722501acebce395ee382fd0fa8c93ab5ff77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
70a45262414d7bfa51eb62b0edb98cb7

SHA1
c4322a8e2b2366428899fa9ec55f38e185c8af90

SHA256
f937b464498db0fc012ff84d8e5d7f825da16afe6fbfc0cca20aed5a1adefe98

SHA512
93fd5f48dcb49481557a0144fa304a5fa2768892b04815a0031ad023357f5be3e9bc492e4677274069904ee7a94a1319446dad6fdb6ea00add5254ca948e5fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
02f9e655e9153c88c3b6e92ce45f4b43

SHA1
c5bcee8dc5e875e4a09171acdcaf99b8db3c24eb

SHA256
d4db1fcf257799abc5000fb161e9dffaf265e0feac679f977c18bf803f100ec8

SHA512
47355e02b346e82818406b3b818a07671ecee8dce9185ad5d79552b147fc28ebf7dde963bae90777da2b88da33f2c6aa6a5761f9851597d00ca7750be0c0c313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ebd0f6a005cdb4efe9b86a46a97c4d1c

SHA1
75c617cde014348319814c707ebb280b4a0bd9c5

SHA256
14fa526554fe37f9cdaed06a2c0ab6a4aae5a3cb0def0a28bf0a5fe51decca26

SHA512
ed3a83ac378c1d0b7710930e8490b3c299c5a0c23b37aa1c7da4d45b9eb9d4e67bddf09130efe9dedf2fdfad01ecf0c8fc06860dee2bf3482c2abca2f30bc589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8f17528fed181d0227072cf018307040

SHA1
6929e5411f4db30cee87c5c3dce3a848a334ace6

SHA256
688e6d95ded390c25f45dc3677e158391089ce6477f4bf4da6ec95a7831ca8a8

SHA512
20a7a29318018ec27c4863a9f262e2efe5d4053ce75c9c359dcb6798f4468bd8cfb75be0be9a3cef05bc8e8006f0a606f99cbe752d1bc454808726fb4d624f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
4b6c32d3cee39b3b6cf43bc5e63bfa42

SHA1
2da1ef5905b5a706608d30817cc4af4f76c92aaf

SHA256
238c908f9254b4b06ec31b72323ebff203fb3c2fcc7658e9f97116da98888e56

SHA512
c221a3a4993535037461aea5fcbdc70c33087ea9e484e574f3dd10e452fa7ac4ac83295e08c69dd77e3ef64ed72f0e1081a2322e0855028173b1e139dcbcb8f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt

Filesize
4B

MD5
2076ad396bb5f77b40b687a6ca3d80de

SHA1
5ef26473c16303a94b3e60f0b7c63e4453ff30b0

SHA256
32b69417307dbb3f2dcba35dd0e3fe8844de600b308c4ed0566a626c5773087d

SHA512
f52d7c1ea88e0bc0fec13684ec9cc1a123000e1759bcebae728ac1e667cc0d879bbfb0dbe8d1844208c0c00a32883bf0716affba3287530da06724fea39ee461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
d09108f176b5b43a26c327db606c8254

SHA1
93820edca67addc0ca85a2675dfa96a13abbe166

SHA256
eb041bb4b36eec578bc316113d0a6ed4fe1f85ffff4e810f469d1b069eb5b8b3

SHA512
d0a027f8e45334b24dc28733a007ddac6b4fa1c6fa13b17c5481e57c19e2e21ad841d26cc5da8ff8c1c7f54e112e6438cba9a3824cb721bf7442db7a4f42757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8b98cb4a-9f70-436e-bdfd-bc8d974212d6.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
69bce3e5991af78a232d76b3d620f072

SHA1
6a5728c17fbdad85e4f8d5167df5604f8d477dbb

SHA256
935b6b36cb89c36970ee3f84c5940d74ee7e7a8f5d897856d8d22a62bf1b2fd2

SHA512
bc882f360decbd513f1f0ecd862765e1540cf83d81d70fe4d190cf7501716f7bdfca1db4f4d21bf5f26ea508a5b28b46bbafd1089f8aabf589c8858f78db5e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
687f01be2feba2d807159611b5598ff2

SHA1
137f30dee40ee37047a00994fa1746f06f93641b

SHA256
dc19ea3b06e7992e3971033908ff21932365ada2d152081e1313fdd95cb792f7

SHA512
b5d435b66c82009f99d50df3f20a63577e3f142170c5cf148fe8fcd12c8799feb4a22fac076e4c6754433d1d631ccbb728222db3595a4860175394d264625e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a147116ff371c2e16cf779fb89dda96c

SHA1
af7434815fe6181093314fe4ed87a86bde9460f3

SHA256
0229c3ae6b829a46676336b182cff33a5c89d8b5811c00d4652c48013234311d

SHA512
3fec6842adbe97591c584b49bca8fdc2cbcbc27ea4a7b47172264e7c9cf8dbc4d248b9a33ec03b3d7340d68eee8662fd4d3e4c5b00985f0a5f1b3f4593449a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
57aae43d2e727a2787a4469de8a17660

SHA1
4f7995c01d37141113438b161af5db8d26bf130d

SHA256
83e95cf64feafc77537b5b6eaa2547276285010328a33d3d407e43c87e8c701a

SHA512
f96daab1d626ed93fe7ddf138017801178d46a4828f98947328cf965f626fe9a253c9f0ffc1c0c0b3e6d3ac926efccf912322e84a3da11651b86fc0325c3f977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
58KB

MD5
999fb9efeb1bb2e544de95ced9928b29

SHA1
d1ee2223ea8053a696c1e34b66a39025860ae43d

SHA256
fa84eff808af9624108597e06f07247448b0ab3b52397fae7a6572e97ef368ed

SHA512
e56c83df4899057f27141ac3655a0ebe485daa18d8acaaaa297cbf149c122b803ff41364c5a43f006d656a0ff74a5dd291b602ca731c45f8140acf24bb2926a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
4923b56a39617c8f2ad1f5151c754e64

SHA1
2e54fc3736b3bb74274e1c4a0a19f3c3fb666699

SHA256
fd7cec0c3011fd6f7d3a814b222c6dcb1f92ff61be3fb1796e06209c98e4659b

SHA512
8c95a203c742b35d6498e5b32e756cca618b4e07ec371b4a2e4a249579420044b6d3ac47aaf5833e7548fb3fc38ce08255a4905e1ea7897054e2ac5ba37ed8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
58KB

MD5
a58c4ed7de57d1b71ec9f2bb4624c572

SHA1
5f78a7aaf7db306965fb2a70ca242f84c1786468

SHA256
cfde3cf0ce43456f2e4088c2bc5fefb6d36c557b8a412961e63556794ce3774a

SHA512
41a01941212197bfd4c5c1ff9194e46db6ebd80fd31517cdda17a50c1afca20d62e7fc02cc763576b297e01c914f76c653ce56d043c5540cd1ef370146a757c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

Filesize
29B

MD5
47d41a980668e9bfae197488d6d56feb

SHA1
8acd8919b112d637a18e4c2f79f61fd62d2a1e6d

SHA256
87c1ba0f3a75480bef554b38abd51d7858bbe2cff07d4fd29162b4468d2b6c43

SHA512
165cf9913129bab36c22399c3636960cff235313256262439bea6a1ed78cf80d65690254cc63148e7e13bb515b513037ab6be7d20efdfb12b07985339ada36fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
564aa43758e9e5da75685bc320131b22

SHA1
37d00b8a64db2c4582ea44140cca6e9cb0eb1b08

SHA256
cfcbd356d66d1b36d85913bf66f377f61974489c3f4a7650bee6ec4582c49db8

SHA512
176b964e438d32e89648bd0eb6033148c267ae55dfc4fb2d6869b654541d136526aea4e9cde26efcdde1f773d1e86b4aaac618e3fb1833539f212e2a255eb225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e0495fde257df2ef62ee7e3fdb1ebb9d7ff72300.tbres

Filesize
4KB

MD5
dc0a977aead9430341f0947f8820474c

SHA1
50d2d73606c7c34c5caabf41102e268fa33a4f34

SHA256
68b02909cc0ce39ac81af85b7de7fbda994b09ff29bfa728c0ad35c8398b82cf

SHA512
e9db73d9fd7a31114fbd25829ab55dedacd6291d19846c853edebd859cb860cc7eaf5537a0d55e6ddaa17a256c89254ceb76fc371b987929258933b7c3e0cc66

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
4856993ab1d21bdc5de84e3ad7485c4f

SHA1
5642da4a6f2bb7c4f0538822d41733aa8d9a7fc6

SHA256
5399c4e43ab10c8c8e6741bb4d06e2c721681248abe2b223af46fdd41a728fd5

SHA512
231fac274b5e2503f64edcccda29a9fdeece38282413164985e5815d7f5478f6981ba4e702516a100354973049b3f297c066c5acc584639fcf10f1a2d54c9caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\AlternateServices.txt

Filesize
3KB

MD5
80329ee70464d5a1e4a29ba5d4688378

SHA1
b2a157bc8d4f599aa97f666c091ceef0fdc29fad

SHA256
a46ea8a9dfa31ba91ccab60eb46b42e2c449e657371987f9888efeb168113abc

SHA512
1498a3a286a99c48c3822bff3f13a2d4ffa0feb149709baaeb812b1fffad54f6a0aa6be3426e86dd1059282bf1907418d4a2db9f26669418d04919be21d7d1d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\SiteSecurityServiceState.txt

Filesize
616B

MD5
e95fc1f4653044660e3729057272cbc9

SHA1
033db050a22c15e29af8e8b6737953a01c71eb40

SHA256
e70f3cd2ac0fc728c6b5cffaa29ed0ce7f5a66b94012180ec6f6e51f28480154

SHA512
dfa9716fde9f2554a313eddc0bb41cf649f13fb6c6eb67f9bd8cb7817897852fbd47d4ba4e43e4f4180726e425e8b0bb31804c9cb649400f31d8828525bd384f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cert9.db

Filesize
224KB

MD5
0724c7f269b4c2feffc7a7634dfc5737

SHA1
e7aa8e4a4e4055487737ce7e9b2169add407f75a

SHA256
cbdcd6a3d55e4309d801134328c69e12b3a941f8411a3c0127930f9c20457bb7

SHA512
db962bf51ae62def8ff42cfc2424bea6273da93b51383c141ae628b3a2acdbafb264b707067a922828f1b3f4a398c85255ef52159cae6882c6e22cb144663f01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
7KB

MD5
00771cde4131c070bfa39e1af39f6f2c

SHA1
bd583edf94f76c275dcc129bf5cdb7f9d0348f3c

SHA256
c398ea4bcd88ad6324228122da17fe068e6ccc005fbec5385c790a498c124778

SHA512
ad5d6408d2143ede3dc813840b1e463da51243987ba68158c8965045f64557c83aeb7a20b82af20ebdcf5cca7d3ec9df689aee909f5fae15cc7c651fa23c1082

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
6KB

MD5
6ae92ecbdeba77907843046a27eefe5f

SHA1
ad7aa4cf2f6152af7254a8008ced23ac3373513a

SHA256
ffaa5e0d9d20e1ed1cd3b1e7f3515a68171bed654da192c84e9cc602c0107323

SHA512
9ee052e04d64696741d93e2eb21037c8c313414b316d20523f1112a5b0d98c7749742a6ebaa64e73b7443c13b15162250943b7a492c20a906389772c20a40f16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
7KB

MD5
41023ac9370c82d4dbcd039d4ca06d96

SHA1
8f7e2a52b0606cdaf14d416b14c027ef74f63a1a

SHA256
6bf9f5996d5d2407b50de8162587814368ea64f8209e063d4f992702ea86c51c

SHA512
ff1130b4005cd71b0bccf604b67c0bc0ee3bbe5f04928e6b83dcf38782d42322ea2ee36dc44c4b0e9bc2faf912a5268f6ea6352985508ef553f59a0742ea9e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs.js

Filesize
6KB

MD5
95300f6151d59a0c2943570327e09d72

SHA1
0cd3b791743123da8164bd85b655ddb663bcf9dc

SHA256
e5b2ec60cee22c5199ca0aa6c08f97aa5db09ffae19db12ee0e332c84adbb442

SHA512
24cc517b5ba374f9b65c57332c3a5252da9b7521b3035cf104ec04de8710a9880e21c56e90b7c17d048d0075887d3110dda9c1760e4767b56476b238ddf0fecf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5894a7d5e779e3a5b9d2adfa697003ec

SHA1
3efb32125cef8720e7bc43c22c598a89fc856e8f

SHA256
0d538cd7a747383dc52ad656901dd016ed748b88f41bb052948272f347a9c510

SHA512
640960132b91728f73a5ba1a5bee2334cd48437b6827c35d993a400a05deeb6b4150ed3a4b08c8287f7e89c52fa424204b818813315cb71b389c592f5b3b2bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
b1b8145efc51e1fea47100327ed1b265

SHA1
4c40823599d7986a98f2656f04723d91d206e492

SHA256
2cd5e9a88b1974e7d80ce72bef5a1c569c41c0aa01f675393956a50b66e613c0

SHA512
e8dc8c94489e8b77f96df4649f673122d3a571216dd0d7f34951e83f15321c011494f5a9b5a45fa36e4feebca3ee9ee1d101ec06b44d4733327554dddfa7085d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
900ec5f32468d874f4ac7ea9372ac57f

SHA1
dc97220ea80f49b291c5d713816b032aac78d1d4

SHA256
ebf155f594450c3446f534d7185d55bf06c9b6b780116dffe77be2614265361b

SHA512
6ac8ae4f105eb8430107ce1c2daee44f6f9f72128266c80b603703a5bfa5246a2a7c659636a2f0cec9a48823abe45d9100dffc2b5fd91a3218c0b344175473e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3315df496348de7f212077efe7cdb031

SHA1
a15d9bf3dbbf8566a323e229ff3b3f6f633c59b8

SHA256
d99065f1397bc9107d1cab074266b5072a52e7fb5171729248d2ddae44cb3f19

SHA512
612910b2d211ceee3507a8a3dbaebc98be44d10d2240d11e9f1f8c9df3f0acd955921919016a72c201eb34d5365859e191baa8647687b14c510979df96a15945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
e5878030455c2ee728c6c7a336f973d5

SHA1
4e35bde9289b2d5d5f4c77a1d2f62a183b2bde78

SHA256
51cef54dc1900d9d9bc55a41d34f6ded069be98e9b68ec631babd9d1afd01cd2

SHA512
c34dc28776debcabf2222614c3b472a76f978691a9c6f0a0385e629b96415fba97dbd5d0ffb9af152a90f0839967179014b780ea091d7af34551064e32cb3dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7346450ab3e8709d5d4ecfb0fc45c961

SHA1
fd175196876ae83226e5bb4c7df8f7cc66721542

SHA256
1f81ebbf120d4b849e238daa3afdbe026311d49db626cc0952fbe84e62fa87fa

SHA512
82f0486a0ee28dfb373105892cf5baf2bc7e4295a38c92cd2e53500c5a137fe66e331aea34d50a70a1e73800de793d859f8ef4c05fc3f7a87e28c5a9538c3b49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
7d0f5dc847b0e8c6219c2bb574cc0d2e

SHA1
90338e1cb8bed3f06c1530fb863d4358a54ae769

SHA256
79cf13c09b13cfdcf6b92acaaf5877b5a96bf025a70838b10cd48fbd0c332c3f

SHA512
c59f86f457054f07ea234174aede57ef2d738966d161abf83778561f6c5fa9aa3e6ca1464b5c667aaaaa8c825dea820f2aef89fbbd1dcc37714a655003076c60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cmalwarewatch.org%29\idb\2171031483YattIedMb.sqlite

Filesize
48KB

MD5
e2c8c050bb0f757859469dabaaa32426

SHA1
77d97d472ff9f38f03a7213e9570656213ab9b21

SHA256
ce43f2616c521bf6b34379a7871d0f24299440d542a54263c0f8e90f4dc4429c

SHA512
9980f2d7b2eb435948289c76946fbcd6103325468a9e6acd58473a59755da363f11e639f25b4727e65444570c041b2c5b79f230e3e4d8f5b6778a72ea68c4108

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.0MB

MD5
2a669618cbec27aaad7ecfd2ee3847f3

SHA1
d3bd37a9cb8def52d2951de1b3df3f87dbcfd38b

SHA256
51d199eaf10c13a530f73ba7f3b2c7a070f85ba829557714f7bc067f1797fe74

SHA512
2172076d1aa4236b812ffe9b4127a1481312a2e51c1135f395dd1633911fb3c4caf4e2844c73a04261106303da3e49eb2ab718727af0d2f3c1f7e74dc1ae8ac5

Download Submit
C:\Users\Admin\Desktop\220961719010649.bat

Filesize
318B

MD5
b741d0951bc2d29318d75208913ea377

SHA1
a13de54ccfbd4ea29d9f78b86615b028bd50d0a5

SHA256
595dc1b7a6f1d7933c2d142d773e445dbc7b1a2089243b51193bc7f730b1c8df

SHA512
bf7b44ba7f0cfe093b24f26b288b715c0f0910fa7dc5f318edfc5c4fdc8c9b8a3b6ced5b61672ecfa9820ffd054b5bc2650ae0812804d2b3fc901aa06dd3ca14

Download Submit
C:\Users\Admin\Desktop\220961719010649.bat

Filesize
318B

MD5
786465ef7ac6476bb1cfa368b112bca1

SHA1
6d155319c48a7173eba11d9f2675ac4b60c778d4

SHA256
e14891b0928a01be4ea230899300dc571984e5b4bcc69a7108a7207f6b0697d7

SHA512
0db5050ece7f737b428e79a030bd95b602fc5b0e4e9419ecfced8556a89c938cf5d77205e8e36534e1bf3642b00d84556616a8aa8705e3f3e426cb39aeef6420

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
583B

MD5
aa5911e9df38ee4f5a930006fbcc62db

SHA1
661d4901ef36f333270bd7697441a32fd21f2181

SHA256
e4193423fe08ac2f9ccef0ba933f227ae56ee8ee86d96795ae1598401d01c89e

SHA512
a9e2f27726efd73d1891861a23ec7aef3d3d9fdbaac7f821c97dfc143ccc81239409f7aa581c93e1e9fc4958ed5b923bcfa780b08d012abfbc3425e3da1ea032

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Desktop\m.vbs

Filesize
197B

MD5
94bdc24abf89cb36e00816911e6ae19e

SHA1
87335eea1d8eb1d70e715cc88daf248bb1f83021

SHA256
e9757f002a632de82ff9bd1283f90bcff2eec4ce6926f8b7e37879ff0c518660

SHA512
3bec73a3c6360499bb280aec0562157cda47c8ed11e3b1280c4fb8a457ab48dc1f3aea42d6a0d5c2842d60ca09436da96ef7136c0652d2b5c613fae87799ac0f

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Desktop\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Desktop\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Desktop\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Desktop\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Desktop\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Desktop\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Desktop\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Desktop\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Desktop\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Desktop\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Desktop\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Desktop\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Desktop\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Desktop\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Desktop\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Desktop\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Desktop\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Desktop\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
memory/4136-2-0x000001D890710000-0x000001D890980000-memory.dmp

Filesize
2.4MB

Download
memory/4136-13-0x000001D890710000-0x000001D890980000-memory.dmp

Filesize
2.4MB

Download
memory/4136-12-0x000001D8906F0000-0x000001D8906F1000-memory.dmp

Filesize
4KB

Download
memory/4404-2586-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2594-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2595-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2596-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2597-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2585-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2593-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2587-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2591-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/4404-2592-0x00000247DF580000-0x00000247DF581000-memory.dmp

Filesize
4KB

Download
memory/5700-1024-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/6456-2571-0x0000000074240000-0x00000000742C2000-memory.dmp

Filesize
520KB

Download
memory/6456-2636-0x0000000073F70000-0x000000007418C000-memory.dmp

Filesize
2.1MB

Download
memory/6456-2631-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2647-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2660-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2625-0x0000000073F70000-0x000000007418C000-memory.dmp

Filesize
2.1MB

Download
memory/6456-2620-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2613-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2604-0x0000000073EC0000-0x0000000073F37000-memory.dmp

Filesize
476KB

Download
memory/6456-2599-0x0000000074240000-0x00000000742C2000-memory.dmp

Filesize
520KB

Download
memory/6456-2600-0x00000000741B0000-0x0000000074232000-memory.dmp

Filesize
520KB

Download
memory/6456-2601-0x0000000074190000-0x00000000741AC000-memory.dmp

Filesize
112KB

Download
memory/6456-2602-0x0000000073F40000-0x0000000073F62000-memory.dmp

Filesize
136KB

Download
memory/6456-2603-0x0000000073F70000-0x000000007418C000-memory.dmp

Filesize
2.1MB

Download
memory/6456-2598-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download
memory/6456-2573-0x00000000741B0000-0x0000000074232000-memory.dmp

Filesize
520KB

Download
memory/6456-2574-0x0000000073F40000-0x0000000073F62000-memory.dmp

Filesize
136KB

Download
memory/6456-2572-0x0000000073F70000-0x000000007418C000-memory.dmp

Filesize
2.1MB

Download
memory/6456-2575-0x0000000000430000-0x000000000072E000-memory.dmp

Filesize
3.0MB

Download