wannacry | dd4999b97ad8f28ff37f8a7be47b3da151cda1fd5f734e16b138c9d3bccf2e40

Analysis

max time kernel
585s
max time network
586s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
31-07-2024 09:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

exploits.html
Size

24KB
MD5

ee502c9b199d0f6ba2e3646c992980ec
SHA1

8e144ae77cd7cfcf38c6f1816ba1d7b5941593ef
SHA256

dd4999b97ad8f28ff37f8a7be47b3da151cda1fd5f734e16b138c9d3bccf2e40
SHA512

d4afc198ac94803dcdf549344b94890c319aa5af790fe93a61befb714b70ac51892e5b23230aff03d1daae034f539cde9ca17a04567a97f6d9cbd1ddc211573c
SSDEEP

768:7rTilU9RC9fvOflS5/u01/8xWApJingqna03O7m7Y7dMdsx3wfc5BvSJKNjl1eqU:rilU9RC9fWflS5/u0/8xWAringqna03t

Score

10^/10

wannacry defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 1 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF980.tmp	WannaCry.EXE

Executes dropped EXE 32 IoCs

Processes:

Kiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exeWannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
2328	Kiwi X.exe
3864	Kiwi X.exe
1080	Kiwi X.exe
2120	Kiwi X.exe
4412	Kiwi X.exe
4184	Kiwi X.exe
5052	WannaCry.EXE
5008	taskdl.exe
728	@[email protected]
5004	@[email protected]
1352	taskhsvc.exe
2072	taskdl.exe
3476	taskse.exe
1752	@[email protected]
2384	taskdl.exe
4816	taskse.exe
3796	@[email protected]
2260	taskdl.exe
1792	taskse.exe
3568	@[email protected]
3952	taskse.exe
3076	@[email protected]
3132	taskdl.exe
5080	taskse.exe
3948	@[email protected]
1240	taskdl.exe
2888	taskse.exe
984	@[email protected]
4932	taskdl.exe
1636	taskse.exe
2628	@[email protected]
1284	taskdl.exe

Loads dropped DLL 17 IoCs

Processes:

Kiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exeKiwi X.exetaskhsvc.exe

pid	process
2328	Kiwi X.exe
3864	Kiwi X.exe
1080	Kiwi X.exe
2120	Kiwi X.exe
3864	Kiwi X.exe
3864	Kiwi X.exe
3864	Kiwi X.exe
3864	Kiwi X.exe
4412	Kiwi X.exe
4184	Kiwi X.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4796 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4796	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kiwi X.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kiwi X = "C:\\Users\\Admin\\AppData\\Roaming\\Kiwi X\\Kiwi X.exe"	Kiwi X.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzevvqfiwu285 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

97 camo.githubusercontent.com
104 raw.githubusercontent.com
105 raw.githubusercontent.com
2 raw.githubusercontent.com
51 raw.githubusercontent.com

flow	ioc
97	camo.githubusercontent.com
104	raw.githubusercontent.com
105	raw.githubusercontent.com
2	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

utilman.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2FFB4D8D2BBA45F0861D6D7A75BF4E81.dat	utilman.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2FFB4D8D2BBA45F0861D6D7A75BF4E81.dat	utilman.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 6 IoCs

Processes:

chrome.exechrome.exesetup.exesetup.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exetaskse.exetaskse.exe@[email protected]icacls.execmd.exe@[email protected]taskdl.exetaskdl.execmd.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskhsvc.exe@[email protected]taskse.execscript.exetaskdl.exetaskse.exeWannaCry.EXEtaskdl.exe@[email protected]cmd.exetaskdl.exetaskdl.exeattrib.exetaskdl.exe@[email protected]@[email protected]Kiwi X.exe@[email protected]cmd.exeWMIC.exereg.exetaskse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiwi X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

utilman.exeLogonUI.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER\SOFTWARE	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput\DefaultDefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\SpeechUXPlugins\Tokens\SpeechUXPlugin\CLSID = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\DictationInCFG = "Anywhere;Trailing"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\Attributes\Language = "409"	utilman.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\Attributes\NumericPhones	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_2FFB4D8D2BBA45F0861D6D7A75BF4E81.dat"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{787beea4-c945-4b7f-98ad-e5ab7004ede2}\Attributes\Technology = "MMSys"	utilman.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioOutput\DefaultDefaultTokenId = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\AlternatesCLSID = "{06405088-BC01-4E08-B392-5303E75090C8}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\LocaleHandler\CLSID = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Models\1033\ = "L1033"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Language = "409"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\Attributes\VAEngineType = "SW"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AppLexicons	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\AudioInput	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\English\ = "English Phone Converter"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\English\Attributes	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese\PhoneMap = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\TextNorm	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_MarkM	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\Attributes\Language = "409"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\French	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\ = "Traditional Chinese Phone Converter"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Chinese\PhoneMap = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Japanese\CLSID = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\UXLanguages\Tokens\en-US\CortanaVoiceGender = "1"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\ = "Microsoft Zira - English (United States)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Vendor = "Microsoft"	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-SW\Attributes	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_DavidM\ = "Microsoft David - English (United States)"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Attributes\WordSequences	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lts\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\VoiceActivation\Tokens\en-US-HW\ = "Microsoft Speech HW Voice Activation - English (United States)"	utilman.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\Universal	utilman.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Autodetection = "0"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lookup	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Voices\Tokens\MSTTS_V110_enUS_ZiraM\Attributes\Name = "Microsoft Zira"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\PhoneConverters\Tokens\TraditionalChinese	utilman.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Lookup\Datafile = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	utilman.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Speech_OneCore\Isolated\zSMeVgHcAfbzUDAeuvXxdIs04rvNIEuvZVZUFpWUe20\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech_OneCore\Recognizers\Tokens\MS-1033-110-WINMO-DNN\Background Adaptation = "0"	utilman.exe

Modifies registry class 3 IoCs

Processes:

MiniSearchHost.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3070649267-739947649-3250922198-1000\{1B0DDA8C-95F4-4F8F-AAA4-8DEE4B43AE2F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3070649267-739947649-3250922198-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

388 reg.exe

pid	process
388	reg.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Kiwi.X.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exechrome.exechrome.exechrome.exemsedge.exemsedge.exeutilman.exe

pid	process
4564	msedge.exe
4564	msedge.exe
3364	msedge.exe
3364	msedge.exe
2352	msedge.exe
2352	msedge.exe
2752	identity_helper.exe
2752	identity_helper.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
1624	msedge.exe
1624	msedge.exe
2248	msedge.exe
2248	msedge.exe
1396	msedge.exe
1396	msedge.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
1352	taskhsvc.exe
2940	chrome.exe
2940	chrome.exe
2676	chrome.exe
2676	chrome.exe
3276	chrome.exe
3276	chrome.exe
4064	msedge.exe
4064	msedge.exe
3812	msedge.exe
3812	msedge.exe
2740	utilman.exe
2740	utilman.exe
2740	utilman.exe
2740	utilman.exe
2740	utilman.exe
2740	utilman.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs

Processes:

msedge.exechrome.exechrome.exechrome.exemsedge.exe

pid	process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
3276	chrome.exe
3276	chrome.exe
3276	chrome.exe
3276	chrome.exe
3276	chrome.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Kiwi X.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeShutdownPrivilege	2328	Kiwi X.exe
Token: SeCreatePagefilePrivilege	2328	Kiwi X.exe
Token: SeIncreaseQuotaPrivilege	5044	WMIC.exe
Token: SeSecurityPrivilege	5044	WMIC.exe
Token: SeTakeOwnershipPrivilege	5044	WMIC.exe
Token: SeLoadDriverPrivilege	5044	WMIC.exe
Token: SeSystemProfilePrivilege	5044	WMIC.exe
Token: SeSystemtimePrivilege	5044	WMIC.exe
Token: SeProfSingleProcessPrivilege	5044	WMIC.exe
Token: SeIncBasePriorityPrivilege	5044	WMIC.exe
Token: SeCreatePagefilePrivilege	5044	WMIC.exe
Token: SeBackupPrivilege	5044	WMIC.exe
Token: SeRestorePrivilege	5044	WMIC.exe
Token: SeShutdownPrivilege	5044	WMIC.exe
Token: SeDebugPrivilege	5044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5044	WMIC.exe
Token: SeRemoteShutdownPrivilege	5044	WMIC.exe
Token: SeUndockPrivilege	5044	WMIC.exe
Token: SeManageVolumePrivilege	5044	WMIC.exe
Token: 33	5044	WMIC.exe
Token: 34	5044	WMIC.exe
Token: 35	5044	WMIC.exe
Token: 36	5044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5044	WMIC.exe
Token: SeSecurityPrivilege	5044	WMIC.exe
Token: SeTakeOwnershipPrivilege	5044	WMIC.exe
Token: SeLoadDriverPrivilege	5044	WMIC.exe
Token: SeSystemProfilePrivilege	5044	WMIC.exe
Token: SeSystemtimePrivilege	5044	WMIC.exe
Token: SeProfSingleProcessPrivilege	5044	WMIC.exe
Token: SeIncBasePriorityPrivilege	5044	WMIC.exe
Token: SeCreatePagefilePrivilege	5044	WMIC.exe
Token: SeBackupPrivilege	5044	WMIC.exe
Token: SeRestorePrivilege	5044	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
3364	msedge.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]MiniSearchHost.exe@[email protected]LogonUI.exe@[email protected]utilman.exe

pid	process
728	@[email protected]
5004	@[email protected]
5004	@[email protected]
728	@[email protected]
1752	@[email protected]
1752	@[email protected]
3796	@[email protected]
3568	@[email protected]
3076	@[email protected]
3948	@[email protected]
3284	MiniSearchHost.exe
984	@[email protected]
1788	LogonUI.exe
2628	@[email protected]
2740	utilman.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3364 wrote to memory of 3340	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 3340	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 8	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 4564	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 4564	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe
PID 3364 wrote to memory of 1028	3364	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4764 attrib.exe
820 attrib.exe

pid	process
4764	attrib.exe
820	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\exploits.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe4,0xe8,0xdc,0xe0,0x10c,0x7ff95e653cb8,0x7ff95e653cc8,0x7ff95e653cd8
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
2⤵
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5424 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4624 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
2⤵
PID:520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
2⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
2⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
2⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
2⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
2⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
2⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,7455615227458309154,12700815189597839908,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7236 /prefetch:8
2⤵
PID:3092

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5052

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4764

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4796

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 179531722418636.bat
3⤵
- System Location Discovery: System Language Discovery
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
- System Location Discovery: System Language Discovery
PID:2732

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:820

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:728

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
- System Location Discovery: System Language Discovery
PID:4916

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
- System Location Discovery: System Language Discovery
PID:5076

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff95e653cb8,0x7ff95e653cc8,0x7ff95e653cd8
5⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
5⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
5⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
5⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
5⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,2482193922369720932,2566967342670709801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
5⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzevvqfiwu285" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
- System Location Discovery: System Language Discovery
PID:1808

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pzevvqfiwu285" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:388

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4816

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3952

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:984

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\Temp1_Kiwi.X.zip\Kiwi X.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Kiwi.X.zip\Kiwi X.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1536

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 --field-trial-handle=1772,i,3222513000384063599,2019364833177177276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3864

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5" --mojo-platform-channel-handle=1972 --field-trial-handle=1772,i,3222513000384063599,2019364833177177276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5" --app-user-model-id=kiwi-x-nativefier-f28be5 --app-path="C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2228 --field-trial-handle=1772,i,3222513000384063599,2019364833177177276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5" --app-user-model-id=kiwi-x-nativefier-f28be5 --app-path="C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1772,i,3222513000384063599,2019364833177177276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4412

C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe
"C:\Users\Admin\AppData\Roaming\Kiwi X\Kiwi X.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5" --app-user-model-id=kiwi-x-nativefier-f28be5 --app-path="C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1772,i,3222513000384063599,2019364833177177276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B4 0x00000000000004E8
1⤵
PID:3200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95de6cc40,0x7ff95de6cc4c,0x7ff95de6cc58
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1748,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1740 /prefetch:2
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2116 /prefetch:3
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2192 /prefetch:8
2⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3088 /prefetch:1
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,17228764363406849837,12424463988997038072,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4524 /prefetch:1
2⤵
PID:2944

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95de6cc40,0x7ff95de6cc4c,0x7ff95de6cc58
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=1948 /prefetch:2
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1708,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2176 /prefetch:3
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=2376 /prefetch:8
2⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3100 /prefetch:1
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4400 /prefetch:1
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,10702865104342406166,6428980385741439187,262144 --variations-seed-version=20240730-050116.493000 --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
- Drops file in Windows directory
PID:928

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff624684698,0x7ff6246846a4,0x7ff6246846b0
3⤵
- Drops file in Windows directory
PID:1608

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff95de6cc40,0x7ff95de6cc4c,0x7ff95de6cc58
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1776,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=1976 /prefetch:3
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=2072 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=3752 /prefetch:1
2⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4592,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=4780 /prefetch:1
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4392,i,16651208537364111464,18120938175095294212,262144 --variations-seed-version=20240730-180148.286000 --mojo-platform-channel-handle=4668 /prefetch:1
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fa855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
48d1046d101b3d71d0ebf2cf16eb6d56

SHA1
97ec4ce1ebeb35111064add3a74f7f96b03c99f5

SHA256
739c0970d2636c221051794cbc5eb0e705b4bd99d9a334d3fde01ce564a9058d

SHA512
a8194a81cb118bd9788b4423b91a32366cce030e106946512efa422d4fdeaa17143d764541e4bd81d144dc6dd6ad9c556a6f587d296094111d61a9dc950347f8

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3070649267-739947649-3250922198-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
44e23ed1cb4a0617fd230d9934b3720c

SHA1
f67e68cfbbc7f94433902d7d50d7fdff9677b340

SHA256
f9e68cd90ce09252436fdcc804650967486e5dabc2ee15c81a00a1def70078a9

SHA512
16a80b36ac85917f7edd08d9148baae1c680ccd8cfaa29983d0899fbdd6184840d3df71b92ba06359b9a2076090b281ba4b9f1ec4d7e3558c7a4c9e8d7da1c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4d446f16-2746-4a8b-aee5-1d627028e038.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
6cbdba31d888e3def0d73ace3a3fdc8e

SHA1
106125c57d8cff0ce63a3fdfd1f666f659fa0e40

SHA256
2d7335ecd40cd326db86bab4d55530677665f39d7d54ec2043ce390dd198fb73

SHA512
87e3f6ee53b4333d6439a4d05ae093fafc3d18e8b498fe17e94b5381cd42912a9895590d87af34e989e5bcf64ff754e0ed60660e0b3c82bc894f712871719249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8d33e4d40392e19c620efbbab37efec0

SHA1
5f210ec2a27b18928a1b8f5ca9711824c8882776

SHA256
fb57388b103b32e3ea89b0cf819d3f5b0e065df83664a74621d1c3e296235e3b

SHA512
db0edf26d66ff07ec0633eac77eb784419cc0d5514a5d682b72093c1250b7c29e3ea123626e2edbb14f61e1d8708f438b6c40194c1b57e4033b6195e11fd9d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9a96c1dd02940ad12c8de3298b36b58f

SHA1
d2a74f145fd4e9147bf5ad1bc993484b392884de

SHA256
a082f6d6f7d5c06ac68c2ffab901db297db33d2cf78cce01f84fe0baa0803123

SHA512
ae29e681e1c3536df2bb455eac942fe0199c0d84f154bcc9ede4976bb0ddc3f859d5f558879cbe481c605f190ec95c2fd226975e8377f8000b80f0a556ccbf46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6cd09def24a65e078a23af6e139d61ef

SHA1
63e843243e36e1cb74649f3f673e7986915f4ba7

SHA256
fdc1cc7d8717eb0dfdfeff82fd94264a7c583d6d06a9f7f2740c500598ab5fc9

SHA512
0b3ef457f3c19ba9a0306b9cf342e0d2673eeb39284f0f824878f7e1624f92194766b773fc66c1b4f0f63f1167cc4ac3700bb389b8cd8ce426e3293a636df9ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
547bca300b024e668ba3e8930a4d759b

SHA1
6409e1f928205d16db296fc3357fffa8b20f888f

SHA256
12b18f50b93fc0d20381619efb6a875024947b3fbc4d60665fb76150697f14af

SHA512
8a14bf303a2a5904b4d44a520d1a828af2d8f98e94a4e927d64a1915d3f3e978f75913e1210bc7f6c226c0bcb7e8415a2cc9c9d6a650aacba5f1e34cfa2d2e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
24862bbd780210541a51a1e4dd1a20ec

SHA1
519e16c3f73663345fcdd9db8b9e56a1d98c3246

SHA256
03efcb89905ea43742fc89220985b12dac5c919dc06acd7f8e5c0b81d50d288c

SHA512
6feec875b5468cbde21ce59d8f6ec7191dab3ea5fc05e2b3ffa4650170aec8e2cb5c021eb478c0aa96651cd397001dc77fd1bca4ab9ac74639492eb81845081b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fcdc54aedc6953869e41d2dc861c3c55

SHA1
1f079ee813f3e21e5628496290de701a04a00be8

SHA256
1a977791659e2a5162439772b5e9bc0ff72f7ffb4e189a18384ea434b5feb8f2

SHA512
a01a720b933e24d185187ba66537ba01a2e27fa357c121e179ff106ef53167a8db5aff3150c54c30fd2d95ea9ab9328213eb063c560aaf340b0a93063f516b0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
744e69390683cb1ad30390d134aaf247

SHA1
1665afca4af79141e2c92337ff80a51053f5cf13

SHA256
a9fd850c4de2dc1aa03878e7db2537e10c9bcb228099339b058049881209ebe0

SHA512
c72c23f94eb54bc31b01f817d4a3129d503f7702a25e0421c90f2162cf28e813f011dc9b9ff597d4fe2b65c61c0f9732556cf942d650cb3a04240b106509dd61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
79533c04b47d58b0ba3e0a6715e4ae32

SHA1
bb2742d49d886f196e9e3923b28edbc8a046dca1

SHA256
5c119df34f9d139f9f8662b76967baa47641062c4d264589727507bcf2ed1cc7

SHA512
c59a0c6a403c5fec9a37c8da8390087c463f9b44a2ffe2988861421ee2c4eaaacb34ccf113ca2bce02ec0ed79ea2ac94fe2ecbe328e4324c963e4b9827c8662b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eedd5206ee770d6030d56e9c8090ff5e

SHA1
3506dd782d5a92bd0915bfd5710b3ca89f407aac

SHA256
f3ace75d8d19eb774dc2cf43c9dc5a195da763e3e3e25c5c4a620ccffec366ea

SHA512
d60f10d36246c2ea5bae6cd7fb4f73958c9b6c26b570e403fca56bbe1a3f73033e72f002af8a799a41b934e270d5858d6f34261b56cdc64622acf3b904a28d76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
410d39628bc7d993eb7f2529584cf1e8

SHA1
ba04ecb6ba344adf4a220b7db3ba694d416ea22f

SHA256
e95d183f7ea7aa5bef13c6d790aaaaa73a6b5388b802764097877814dfcaca18

SHA512
3aa9ddbc0552a32a469e4652c675cf2e85eb0cd8506c7201dc6d448d3538856a47f2a92ebaccefd7995de63dcc8b734aefc9baa7d4e8b90afa423723c7555999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6703998dc5b8049962826038825c440c

SHA1
110cdc7f161fb1d56c98eed6ed0431b4131c26b5

SHA256
cdde51ff7972bc7017ce084a35e1197345f1ba8dc6075ba11eef7445eb8c8469

SHA512
65ce20014de61b2da78a485e9c78c1c884b55502e227acabc4c8087c997ccfb106e21eb24ac70d152ebaa9f2c39c84b738eba1652d9dbd7fca30b3bfc711b3d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7d8057749eccb5055f00241b089fc791

SHA1
a1b9010ed1482fe9fea4b878f24eff74f5ea26ae

SHA256
34b2933dbc81cd37422a80689889a9d4d84bf393e05a310a7cd3bd9de79dd61b

SHA512
dab2320894c668e6fa50f41c7d60f77d83e19f3770750cd031ef8fff64adc5bfba3d2b8124583f69f2f5d8c2972a1b17782ad1cfec235baf0d8447f6bae74742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d002b632d0c6b83e1289ec87b242fc09

SHA1
2d3b76f9538ade18ed69255329206e3ba98163a9

SHA256
6af44a49eaaab004c612c07434d95124c95075542386e95002d09e1cb51108c7

SHA512
44573391ec03e4973a7fdb54ee244475d9dca69a72e0e52962454cbed05f161c51bad1d9f5fc0517c021ddabac68f674f0b1f64f53f58648958f469f6f89a42d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cc0649af49632563dad98e4b1237dfd4

SHA1
66cb1c1fcbd0b60cc7d5954b3215fa143e7e0978

SHA256
39d95621cc4e00bdce36cd033499614c7dc5533714478cf56b8d761dabcb8504

SHA512
a7741be288329c29344129d04c938931937e19c2370ae47f0df0023af0d88288fbc961a95acade66da2d729568e4f08a4d380689c3fa8d50a5f678702b8da7ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d6a18087736f93f2e0a36c1c07064288

SHA1
d87daf6e64c0068edd4c6c9c5624a15392dcfe6d

SHA256
ac2a9a4e70210fa76f007468d4d06d5a76ab4686b7c8efe545f8dc161e8fc47f

SHA512
08e978bc41cebf44d70bfb87c635fe3cbfaf568b339c2c747c18861cf8945462ac20e95fcd7360ea7432b72ae35e8402497e8bb1f50e10bc724bf91890e952bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
e4501e49602568367649b892d14e7c63

SHA1
9da006396ed5d8bf5962a884219584eb24c806a3

SHA256
1b590b4800c3df20f198ba0897655da30d9f7a4c9f12656cff566b65259c6a1c

SHA512
4a88c41083161161dabbf5cb558f2c39112035d89c1172bbd3369ac5d9d8846828a50ce368073be29c8423f4da85026ede893107a6654a7a6502b66ca6609275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
99103325923b98820fa337e0bf296b7b

SHA1
7e41297b67db3ae63b73fab7ff73f39ee7111b76

SHA256
365b23ad2d500545e059320db972da393c6e70ede3a37e2959b6e132996b7e62

SHA512
a40ecd46de446f5a6a1f7ec20118ae4cf1c6dd997a277750e86d382e084b935725ede40f91cdf0b0c19cd55b2a5672645401abc91751835c4f725eff408236d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
0f4aa0daea52ccbc561e43ee1b17cd2d

SHA1
3c4c665f8d4ed0483540d867a56dcb88a4ffdfff

SHA256
a2382927660afa21839453ba4bd4459dc180b23524570050be0486fdf7b9ef8c

SHA512
375adf3248214fbc036baaa3f52d9c6e2e0ed587c1dacdc36603eedf12ede19d43d9d64c0039e157c9719c961e6b039b2cd32b9f86258400ceac14de0daadedc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
7b91fb58d05d84e74cba47a3ecd30748

SHA1
d465c2196c1411874f28d20a16410729891a4cb3

SHA256
14d8a459b09700f8bcefcdf6d246b7b31175a4c24824dbb615c11eaea964527d

SHA512
dad407e128c1e80fde2147744772871c5d1da95867d1a291da46c4bcc3757dbf81a89d1bcc2d04cb3c2fcfaac040aa0963a513eaecba38ddaf34081cc506aa9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
ffe923bf9a4dc9b3fe350191eee26bc3

SHA1
1cf226e0077137cbb3dc47122989c8493969b6cd

SHA256
74514b212ced2cb00ee2fdea3d55798c3451568d4c2af370de1abab156851038

SHA512
7d3cbdf129803a81b08b4a32182d7a5617d3e7be7d08b914af9d71e850deff35749ac13cd698e910e26619e8d914ebdeb0254773fbc0e3917dcbdac6c0b378f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
ea5aefd9584fa05d98a2536c274b2bc9

SHA1
d590e644d6aaa5de0ae76a311d8987c3b13b64ba

SHA256
5223cdd8ae41f79eaca75bd1ca281c187df828e611879305797cca04b781ab6e

SHA512
21df3062d284580a2d63771d37546028395140e0f18808a0e80348b51f4294eadd1320221168042ac795603235ab7b17b3712af49dda1a3b0a8b26e5c174fe3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f21010c94e1009f08062dd9e5a111f3f

SHA1
a02eb37688abf5ccacdd4eba9c3d274ab2a44abf

SHA256
f7f88cda54d24605bbfb55c55e0d02e9fc73271b715b71fb51394095421f82a2

SHA512
5d8cc69ae7bb6373194ce9bf69e30459516e7105da72df41715fd33c3282c7d16b06c5c23137d65596b60e524a688d69814249e126d270e187b58f36505f7aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e055230e18b5c829279f7bc999b631d

SHA1
025d3d0c87346b7822c481517e833edea2120a40

SHA256
fe144bb89636e3fc5c3cc8619995d065f032f04faca4c87503facb615fff777f

SHA512
446a328effa484804f758f7279c693b278383fa29489a81fd4ddf581af10e634331ffd5b22e34688d3bc18172fede091966c69dfbd644a5f05dfdacc0777b2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9a73073b14bc98972e5e49e3abb32676

SHA1
9f63672504fc277eee3c6de13411d80e7c8b8caf

SHA256
0887f46ee41fa8827294d5f1c08e48f196d3b4b14c63f65006e8b0830e30ccd5

SHA512
322562884a414f457b4563687a9b169dbf10e991de3903b9352954663b1daf74ea104af6bcb48366acb01681d0c89370eb107c4453223238e806d58519098775

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
41KB

MD5
2a8a0496c0022a0e67d77d3446340499

SHA1
ed76b29d574b4dbfa9e5dd3e21147148a310258e

SHA256
f348937ab6c6d9835af1f55e3f1d3c51197dc1c071630611ebc6d44834fc44e9

SHA512
d3767a8eafe019a15c2142d1160271ecc62f6e7d5623c0ae5fade269c8c9cf7de3b80678ed64bb9546bcf4d80fa66e11cacd19f2a7e295a6fec2a64ec8068c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
1.2MB

MD5
74c0a9aceda2547c4b5554c0425b17ba

SHA1
d5d2355e5919dcf704192787f4b2fbb63b649b0f

SHA256
3b9e3adb939801b9ada1ce67afc7decef4538c016c78113697b89a35a295dd8d

SHA512
e178dce4a59cf184bcca3523e687092f4edc2a3c7af4eddf1ca1965ca06347eadf8901f851260264c14fa052331b2d1aeef2a6b9048b87758617285c9650b479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
18KB

MD5
49a8330f71c99890aa6ffd7987b845ed

SHA1
a863c5f667e122da2fdd2310fd31b5735753bdeb

SHA256
4ffc3a0cd86e552b2f10a837564db35b6c2ee1f67e200c2fa296b5494e1aa518

SHA512
c717f8ca7cee8e6184f6c09dd53902fc8d32f08772b4d09789ceb08b11c3e10767dee18172487563c09b65893d95bf5cfe7927929cef9e685b6aedf771b08838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0002e5937aa3eca0_0

Filesize
2KB

MD5
abe640e93aaee66c4e37062441aee853

SHA1
ab746a9932776eee183cb6f4959edab78aa08b60

SHA256
c7551639fe3cca2553dc7d7e21f299355d95f46c5031ddf7e376b795955aada7

SHA512
729c4007b3149c644d6973953c6d3e6c7fc89bd2794b30411d502fae35bf15c5a28fe3c2c37d5d0b97b775e6b321345670deb7cdef5485f5c337ad3a23904248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\02735674612cbc52_0

Filesize
1KB

MD5
307edcaedccd47b996da553b40d2365a

SHA1
933a0b2c0aa11e8f79034ae8ffe50e4d89c4bf62

SHA256
dc413ee8b1747de9846b2927ff610a4a618ddfb5c294fcf440b922e7316cd506

SHA512
6ce6b1f4d7116268c808ec59bf5657e44eb31c6179d30794b65c50b7acfcba5635bb26afea4652938d5106bdf7bd292484fc2435569b29750a640cdea633130f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
2bd0cb544580f377a835935f07b26817

SHA1
068d89e6710bd5b78b1cbb568c8f33bd1ddc5784

SHA256
5c2888fb20be8ad6541200d9db7f6caa6c401bb183687f9a49f424c2c67a9924

SHA512
5026fb4c3c3b76b26ce1caf77bf46e6dd375a79682e4b9e6898b7335a076a529a4abd8c5544b2b45443c7dbd9b1017b9689d8a7cde6da2866a05b0d0d37ed46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1927a26afb9a8b4a_0

Filesize
1KB

MD5
4382b8ecc38a0897044b23de400cceb3

SHA1
24538317130e34728bae0f74c63ea23e57e15188

SHA256
f3d15fe86603381eb41aade5095062d70d86edf765b66963037176c88e4fab34

SHA512
974fb12fbaa895e42feaca9c0e08d2bf53efd7eac5219a890ffcafb70ad8139636fd2839d0979809d298f8b1088958697177903d2c1e99f280827fbbab1e7216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1ac673f66e12ce14_0

Filesize
2KB

MD5
c22063bb7a30d9c5d3bf903bd373be60

SHA1
db126c3f80401a98e754cc1a80a284c49fe605dd

SHA256
972b39f024594ffdf2b549456e382312dcc76a1c6015b15b0d7a392773add145

SHA512
4edec65cd1dbacf3f0d7478a4c717999746b0773f031e6fe392c6475bf033245b3c4ed5371662e112ff5bbf4744d9b79f512a5cc2dd773b3ae0305cf018add83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1ba208775fb5fe09_0

Filesize
3KB

MD5
bde26eebfe50b9710cc5e25015a28094

SHA1
232440c4e04474bcb299e5655bf80f66eb3c1531

SHA256
b90821f85724c2ec41089caae1e2d987066d262f064687c002c65218aa149e81

SHA512
3a632b19f2398d3eae3c132c7c89c6914ba62795286efcf11cfc7cfc773dd921c0a74233198da52ffc703b145f9a7f36371c1e259f9be77b7be1557a64fc63f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fd2be14abb3904c_0

Filesize
1KB

MD5
19ba336c47ed59e6ee3e03394aa33909

SHA1
a1a024d5d6bb59ad48ca747b2c8c32f14d11ca6c

SHA256
1512a2b9f9b9b18f4b5a971314434518cf1ecd01d47f49be70175e107d30cb0c

SHA512
22490df3901abf990b974fb4ca489b9413b57e91e414fa9c6c42484af198d64694844227c570e39a63938183eb31d5e4504248dcbe991810d240e717432c2df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\48b1105b4c2874b5_0

Filesize
1KB

MD5
9f1b8f41a4de8c77f42db98c331977c8

SHA1
0873f6c32c9d7a7bf154b3c4381a7b87d787f182

SHA256
8ca0dc2fd77fdc524bbce2d9ec0e34a03dad653755f2cc0d4f46aa4a30a07445

SHA512
06db541cf6cbc9e59063fa72eaeaee6658c7281b4d0671c4127cad1245a4b5767647cd008092750f79fcb95e29fe70c39a033a52299f46b0e630988eb719dd44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5801d3329fb36c59_0

Filesize
2KB

MD5
b6d926a37e2acc06eb47b4d8e88c777f

SHA1
6f52a28c51114afdae316b44750e0256d7357df9

SHA256
2c0bb4c888bbaa7390c0b5a5e62878271d33dba3cc154c0edf961d10ec58d28a

SHA512
fda3d4f9fa1e7bf432944496ea80150307796836e1d6f9fd2ff22330bf8dced85c549edede5e3ba8928e9a4a9949563577c11a599b58411badbdc7d25ed92067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\59fc8adf66a76ab9_0

Filesize
10KB

MD5
dcaadae54365d726e2fd8839f70a717f

SHA1
5eda29900262fad134c5171ebe2da6b14e4e54d9

SHA256
df9983053bc0146d89dce7211beaf6841b6c9369e004c748841d1b7e7e08e2bc

SHA512
2ab53eb58731746bb01ec1edc439c3cea91635ae1db0925b689616abfa0096f9aaea4dc57fa290d281eb624a647e5448ffc9f09b363204bd4bf2eee04bf7cfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\62f20db8aae8f96d_0

Filesize
3KB

MD5
c91cb73309bd6934ee658df61189dd1a

SHA1
0c22e1a87acea5f81fe42fe829ff6c1d0806399a

SHA256
0f369adb89866101d194cef7c508cfc4b7be6ee00fe0397f3f64eeb3f0588f15

SHA512
b1a640f62a0a5aa5b967e15317154c0ad3e9d8dceacdf9b5e50dca18ebb6bc8e86a6fe07956ea57f8b7b53df04d1dda894eaf6a68e6ef44929b54b8c4e482253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\632e260441be7404_0

Filesize
4KB

MD5
7675c1a50420f3d1b75f5c420cdf0b71

SHA1
82222a953643287b08c072cc39f303e2ba4ec239

SHA256
fbe4ba4c7cb1b806b4c86ad0acee9332e24fc84e2732ed2c58239aa6b8a44186

SHA512
e550c97625dd1f435acfbb14a4305abce691cb15ef44467dadabdd91202ca6f47d89a223288ceb7a36d321907b65bf81280c58271599b325da2a92687f7b44f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\635e64b37935c888_0

Filesize
1KB

MD5
e77e8a118ce79a2b24760dd4cf331f62

SHA1
9b4fa947bcd58b6ac67d4417677b5efb2e5e9047

SHA256
968eee7d575290d53ac05ff0ebf6592fa242828e2a8dffafe22388d9f46ec2a2

SHA512
ae9b5740a530a064d4363b9de372b4a5b89020b23d2e9f07edb25e9d8a99bba754b9b2643258165d819b8b7dd406692983ce4b298cfff00d78b90f41da874c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d3b0ad57bdf7db9_0

Filesize
1KB

MD5
c26b15ab44936d9ebe11df1b51875c0d

SHA1
2f80b807f421376865f5d0325eae643a39c8f8a1

SHA256
d67d92061a3fde355e223e6a66826de87880dfdd51958c8b0e0e7bb0ff20003b

SHA512
75c3558b26faa60d52af6fd1b7164bf656c501b5132f128c444987ea9d543f488ceb7463ac227130ce7189cea9251601997a1b8e0602a8e5740790acca63c4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\718aba49c9504085_0

Filesize
2KB

MD5
42b2892e7d1fb7a2b2e4b3ecc8b91aa1

SHA1
29b1f8385d39a186ea3216ce55f234d4f194b0f7

SHA256
c949438daa88a396c5e2a346a7b8b2249a7a032fcedcd1ca490b9e8d8443a404

SHA512
d0eb5c106711bc913652a042eeb32bca1ed3349a269385ce64131fd70d925541cb43505f2ceed3548c63c7bb27f1132edee6ddf629ff5dc32e5dd1355d13354c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
bdc1272bd9d418157f0c39ad4078b3ac

SHA1
b1859ccfb7d97bda7841a6dfbf403215afff1f97

SHA256
e3751f1803aad16aa24bc60ba5afbe8171a3264a68a7078ea9047e3eb90ef742

SHA512
c90cb39ae6d47f5dfb25183a5e963f73fac38d002d48b40510bf60aa57ca1616b006fa47e7ba9a9531fce4d58a5a59c43c0793a809e14e133d313e1031ff37cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7a66a1246c4f29f4_0

Filesize
9KB

MD5
18cb624470653bf3f5640eceb5cd7bc7

SHA1
a7cc6a9a8ea41cbc52e33cf45cd28f5f44b263ba

SHA256
bccfd0b1d126ad3248024bdaa8b732c99b635bb6965624f699c48a5dbfbedf98

SHA512
f991c6c5e3af2ab5e3ef0d735e81ecb42acaa7fd3c7b31d9df863c1d8a645d03476771767f7b07d99cf4e607ac55327104f0bf803815ee0aae87a6fe48985bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7cf9843337c39c04_0

Filesize
1KB

MD5
6e7ae06524df644b26e459e4b4524255

SHA1
f43a40567a859866d0b51f3c29d516f94feef6b5

SHA256
2cdd1987dc09ceda340115a0156e2735356da531d2d8810c2d99c89826ee8f80

SHA512
44939f97589bfe4b513734e9661092c0e57c549f27a745ca667cd3e744d6e02da91cc7442ea11aacfb9e09e02ab774d440cad043e903fd3169e0984031788aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\81764cdb356c9506_0

Filesize
6KB

MD5
38f2a94eea089d0f0250dc1ea9a63a09

SHA1
4f63780165ee090c18365c970973e26a76ecb74e

SHA256
ac59c3268183dbf5c15a85ee55e9c3c3d4675f6d00e22b09a1f586562aa4ef63

SHA512
823017c0101a411619dc2837c9b835b73bf5b7be02b5bb7c75360a1b08174140ec99d8514ad22a409e24a6bcff2df73dd3bef5c6746f655e34c79ad8680af3d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\87bfea9426cb2ef3_0

Filesize
2KB

MD5
c254615dddaaf2a1d81476376bb163e8

SHA1
a5e5630947ca15831539f679fb419737295b8bf2

SHA256
dfbed4212540b9712856fde5d38c1d8efb202f63a809010ccbd657093e5fbdba

SHA512
b56ccaf43849d5776229cade673bace8e22b1737336d0738e5c233ee64fa3ed91fbd95f2637cac1089e13acbcade3630d9eb32ca043797e9426c1d6e6159b99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
7856b1037298dd319e32c9cb0c9e3780

SHA1
a5a4b74f58b9265ac5b4d9e956ea379a52309864

SHA256
aae96e9407b62f1df26fc37a55bd53b0e97c8892e74a339bae3020a8e8177efa

SHA512
f77dc7bc5c0d528eda1ccb65b9a5f6098087dfcff40442f2dd0b1dc0d0b164340a5316e0bb7a09e54ca1b53cb4ecf8e2499fc43b48db9027f0bb259d0350d5e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\94f93ada55bda7c3_0

Filesize
2KB

MD5
8ff6991558e639578ab14b45af015379

SHA1
72562e286c25a9d0c043d0aa1931237ddbfd581f

SHA256
f38a7c6a6570ec6324aa84a216cdace85d5b4666e8071fb1e3b722200ae6af48

SHA512
348a56124bbb915edcb36b5dcd62c3aa6d3d5e7930bc6b1958224bbf383d5afc77197e85e935de4561dd36760b927e67a46d750a5441498696fe179cf25dfc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\960f838b42b585c9_0

Filesize
3KB

MD5
476b334970aa3e4e9c464ae17ff2dd0a

SHA1
2c3509684b44db8b0dce7e02434f6f44d01f2bd7

SHA256
7268f209093f7d3bb4a8f1b9a62d66223b981377e200abbfb8a9eb142ca01674

SHA512
4721c4d56ea12a9470bdc5d892dfc3e9fe8bf6e918213b1212fc0a42387fbb60de8e5eba65e5824a3034ca6ce4969a56779718cc7a1c18290968c03266dd76b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\99110e9a19c3c06d_0

Filesize
4KB

MD5
6fef9bde99278cf194be0228f63500ae

SHA1
e27d2576bf8edcf564615ad115d832bc2e8cda9c

SHA256
5feeb8fcad97f371eb9e89e8888178f52bda9a5adf84bc15f8642d0e0ab956fc

SHA512
b808197d0969c4b334e8987795ac8ee7a26028bdffecc5877cd50eee5dd8792ee4d7f7bc1d038e1986c6ee6436c4bb9f7919f6e57d4e72537ae2acd486c799fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a37ad9a49149528a_0

Filesize
6KB

MD5
7b48ff9242632688245e526f3c29fb31

SHA1
9bf0c312bbe0c9aa0f656c99da13cbaf9ee18073

SHA256
e4b5255188c63716e88ff48f4a148e5640c89faeca104c1122ddd1aa90b0e0ad

SHA512
c787b5981ce63da9cfeb1531e3730cb8378abafc814849550933f85ef4e18e24d11e36d6e252f847d8162a527368ed306cdd9e0188a4b7957840a0f90ec5b4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\af2cfcaf6d9b18bc_0

Filesize
2KB

MD5
66182658ef034e810c354aaf17733716

SHA1
bb1e3bc7b03ebafa5e1600f2e45ebe56541f70d2

SHA256
f1d02a0506638e53294033af002180ae514896da7ecc1eb16d9cb6f81b1a27e7

SHA512
6a515ff48915b34bf2a1a646158401607803a0be7f56ea969ef2c8942f1a651c3ce00aa87d76a82d1e45e68df70e77160dadca7d2e6c016b0d0b955ca98bf23e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ca5bb3c84b908d6e_0

Filesize
2KB

MD5
58ac318f5cfeb8e3d2bfd37433c73fec

SHA1
af9c8346787f2e4eb05c69bba36bb5b0c3089b4b

SHA256
888164aa5b99a67a703fc17972e7371f5c2950e8be6b65fffd46cbbfa71721ba

SHA512
3ca4b779eeab5dff3b1e46b1960ad883ca91f38c40c8f11961e864dc9daef83340c74a1bb202edb138c93a424c6f34c5a27fa51ce2f60e351dd5be27bbe4b7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d00019f29c31fea5_0

Filesize
2KB

MD5
f00bb70bbedde871ede3d792eb253050

SHA1
ceafe4beecbd718c28d6014ae1971834983f7e9c

SHA256
55c15051bce0805b502ef745e0c16024bdd09221355bfa8158206a84653304b5

SHA512
973537b663b68f8f27969862b548e175d53b5d1f4435259adf2dad28d4599e833624eca3c3d8763b535d1327fe5128047d39c2e7fd28c6427027ff956851f84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\daea348421cbc209_0

Filesize
2KB

MD5
be98134794c173a81b83812a6d8e7ca9

SHA1
be637e485ac1b93bcba1ede9cac60cbc1a96e5df

SHA256
fb8db269b9cb1c390481768bca4c82c1531838312b4dbfc9e67ffe15571e2f56

SHA512
576ac2473d7b22d858ccc59ee029bc06db5ebff9865272fc0ee0fcd3f33cab2377d107d46c80f7d0967a021da2d4d7478cfc1c8a8d54951b3e48982cc04491c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e3d18be5d494e38e_0

Filesize
2KB

MD5
9908666b3b250696696765d774fde4a4

SHA1
89f875d7e387e4f4ef61fe95702f1810b76c4b26

SHA256
f6616b31135cb12a1f5461ddadad452a9202408a7b79fc4442d1187b986b4670

SHA512
5d5705885454393a3bc97a114bd35d70141b2fea306afcd1bffcb479497a84e3a1cfeb0ebc53cd5bf0dfa3d6d16be8562a8b1be90367dab61d0e5e320144c50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e3d4e045555bf6a5_0

Filesize
13KB

MD5
cda619c0f28b5f05e6c797efe1516191

SHA1
75a070861c4d73a88f5b328bd1662802d0bf5b4b

SHA256
c8f51db53069ce8a445eef10224380a7f2c03776fb4cea42d03b96f0211a6adf

SHA512
e6f0af19fd30be21fae2347f91fb306a6203468cccbfe2b6e3115d54724c078890294c076457466abd1ce1289f3e13fe34fbd0a33abc7aaa4d9674578d3618f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e504183595893c5c_0

Filesize
4KB

MD5
adeecd722024a2dd47494c3f3bf64940

SHA1
fdc216ad4a01dd7698ebb1c7abf48cadf6e2858b

SHA256
940c1cb2f6f04c6bd05706fcafd2fa60cae3e389d83aeb094a1d8351b6216a71

SHA512
798b76ec12d2118318fabd5253d9d90f007476bf173e2d2d64cc643ee83935f8b17a9857ccfccaa226030271f73db47658db3bd173063df63778b55efb93ec63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e8f6640eef188435_0

Filesize
3KB

MD5
a230dd976ac6a6dc1878b95817072549

SHA1
5831d24f1dd6026602183e974b52246ba3241683

SHA256
4000a9d6e45fa14fcbb3f0b5624f1c8618b6b0489515e1967b5d9fe8ea3f0012

SHA512
17bde6ee68e60a6f73444cce479220928503a28416d8ca336bf32fb7db47b4e696c16cf036103dfeebc4598ee1d26fa6771c1228102260fce72f499139f13917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9ce51a331903892_0

Filesize
5KB

MD5
20570ea366d8cc471ec7283f34dfebe3

SHA1
c9e0824ffc705af189848c994f25276c04aa9d6d

SHA256
9fdd6b3d95e290893a94b685a16eded49c64dabf845aff86f88e324ae3c0eb45

SHA512
4293402a5f4f8cc992075ba4c186ee1dfe3ff477e49f24730f40bfd47530733e29620ab721583ff62c372eab9754464a0f880580fdd5dca30f2c1e524b9b14fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\edb3b6840a8ddc0a_0

Filesize
7KB

MD5
e6ad791b83232d8ccb449b87ef4aaf99

SHA1
a5bd8af0aeb168d4060f893b1415bcf97307a46c

SHA256
dabc2de6277881f7858260d30dfe01482917d635f5c5ffdb6ed7b1f470ca6f47

SHA512
778971018f836b6107a866aae06502ef6df9e8cc5151c3dafd10734f9226a2d6de60a08f0ee32e8bc9259442a1fde5d7688d83000b30a02926a4e88279836eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbbc3b076556d40d_0

Filesize
14KB

MD5
49f89d38c8bf13ed1923810d0c0dafc7

SHA1
bb959fe1f93d318172b772f030a6aca659a55664

SHA256
fc50e2537a2f13baedf7bdf6f89295d3efdec48433ace0bc7bb913c83c173aee

SHA512
66f6879a853cba6563df16d4a118a28fbed5accfd50c81be988fa4d516dfeee87cd33a066b56c53cd2f7fd3b31274fdd49d95ed6799c5c0fb078f3078116769f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
8c7dee3205e0878e65fa85651141236c

SHA1
32b0a015f6339f3396eef9103a38f0cc32e3f543

SHA256
1a4618605c8b46f8a94ed6e5f0893e5d0f15d1e72d109e01acbb6d05c363df9b

SHA512
34a9838a02befc4ed8f0882953049a3f1b3f981f73f662432d6430c48c6ca6211e9cfdb9c8c4e00594147fe4834ef0395fb05907964a8a1b28cdaff62d87d5f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ef39001f965a59fc3861bd8d42f6a76d

SHA1
2b8709dd95fd8135c802b8eeca3c6643348e7d34

SHA256
9bdb16299a8add5aa8b4abdcdf18109c72e97295bd87aad19e088793f8f7bf2a

SHA512
e9bd9025a51c4fd2dc0b767cf37882d0acffb4a369131caab7545b94510a3007b6e05e42cdcdec9e2c1a3783cdf9c0b74d7763c838635bd875fd04bd7ee5566b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
84dda18e4565a3b9aab3747d6c528767

SHA1
18045025a2ec2d211de78c910b9945a03989ab37

SHA256
96421e6e36929c047aff5f00ec055f0ac0df6f93b7ba330dc98559be52ea9ffb

SHA512
8f07647345cb9b5e9bc0dc4aeee49746055c4b13158d5e778d07e049a1275a1e0fedc3d5848c806b44efcb23000de948dd5f685ca9e8a4383350227086b309c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
82270379f6b3d303451c5c54c928c5a7

SHA1
deb6e67e49504cb08717b5083f9b5841e1f404af

SHA256
80e588ccaa2e93e3de09b2db6139b86e2b4e6ac4c0faa61fe8961cd582a60b48

SHA512
ddae39efa9a7c8d5e741bbea7d59a48eeaf27ca9f35f99525af2c9def4150921583446700a5bdfedf249461000e60623ee0d17f9159fc4d5d3610f07a5cd2b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
552383e5eb644747d983ea63e30a27b4

SHA1
4efe0cc26a658efcfc5e55282a72386ce22eedde

SHA256
1baa2d5ad3c5373dbc91d22893ff8dccde989acdf51fe0ae302847722c49c8ed

SHA512
d0a4b2e41d0426531dce25e62080703a1e9aba57fa59ee4417e2762d90f82b412b8e28e39c45ee63cd5aacc1971ff645be9fac83a6d9c4f07fb14a0863b158b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0709927cae41a3731da2be2d26e012ab

SHA1
7493b6e4654502c50ce35944e05575ddafaea0ff

SHA256
8ce78fa00f266af04dcce93821cdec9fd6ace03f18ad0d4c373cc18512b9e641

SHA512
cdd17ba0e0c249a60a0301b8234bb839a68e9217cc390678758c2a65f6f45ee00047a92310a895389e72c54e8a0ea9ade16859f0743d0aa7b247505bbed9696e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5ede48.TMP

Filesize
4KB

MD5
0350240c670cef1e3df237b6921919df

SHA1
925b35e72f9be104c0aa24844d65c14a266a8fbe

SHA256
dcf0f88d2ce15ff49fd3883cfff37d459de3440ff9d49c05688158c7a1b5635a

SHA512
fad7b9e1aa7ce50f6db542addd9114006c7faef2682678ec0f4d0a24279a502e9a995d665ef0a3545b5788a7022ee8065a9415865435a2d7c8823d22e560426b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
35232241fd83b0116265555292a0ed97

SHA1
3b249e82b2da11709630997669d22aeac5d862fb

SHA256
8178736d350706d1b06c7ec6fc5823c2775b3e9bfae3217c10bfae8a8f004999

SHA512
55126f57a1b08484fc299b5d677861b4991f84e0120eb4bcf1a3219b183c510fb4655c0502c6b3b3873fcdbcdba80af8366924eac484eaf26a8cd1fdee9b8e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9baf8f5ee550a0a677776afef3e0e153

SHA1
fe87fdd04393389be5fa2c61f5f0698c455aa254

SHA256
50521f6a7ab639d070539f64e61937cc552bb519a003cc84c2f976e439f260b4

SHA512
ef9cc2f1c680a952e6a219dc04ec222b6d86bc31524c2aeb192b60d0484c45d32da2dedf5fa4815135babd02b99a9ca97d1dc532a400fcab1ac3dc407c9022c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fe376b9522dd34747d148b23a2b0621b

SHA1
e8648382d71d55544537432bdb2284d83203a484

SHA256
5645f92f6d844ae14ce5dadf57023a1cd34d8dfc4c7b02a2de781ca110433704

SHA512
08e73c7c52fc98ead5abc9035c8527b94260de417d364960dbdea55281d2456c1bd45220d928cb439489bccd7b0d3c28f08eb03a46ab2bf06ed8ead394bda2d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
718B

MD5
489b0e0d024a0fcfe36356a5a34ef588

SHA1
5e368260f7aed04fbc3c291ad3f235522ebfc49c

SHA256
94949a19ed703bd0e96e8a98631707ab154e7802a276c3441f0f3a43044b070d

SHA512
4e093ffe802d86d13d37fb5ccbd99e995912b73ebe760ed8713634e7a56d2313475308d10999fe622d9ddac5512035f56c53ec09031d5e00f2c7222c032fac92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
60f2431b89de5612b36f5330fb8110c0

SHA1
185b289689db44dbd16d5cb9a1b3df14466c8c9a

SHA256
2da1ad4fb17ee4bb91f29045c0ed6697210bc9e6516f3a56b58e5c915a8852b3

SHA512
8be553cb01e570464b14fcc78b3ef1495db76abb58dd2f328e00808c314c7e677d18faf1fc5dcdedec0b14ec4130306d2773b5b337f9803bb1a6636d9cdc74ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d51516cc12029700ab51562e09b679ba

SHA1
895888fc0924fcf56320cf1dcf76b38f1949b50b

SHA256
0abdf4bc898aaabbf7bc40eccaf1e8475fdb496f3433a691545addf980c4e9fb

SHA512
ebcce4a90bb0643c25c7504b6503896eab8a55589f42de3e3f054442e0c8fd220f42f614007e272fe4f1b641962aa1fbc8122a08d0b83807c4d850e32e688f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83ee4a2bb74e8f6b1209405d2ab16029

SHA1
076780cefa89ab6794917c0cdcd8ffe263d23845

SHA256
e77cb6d7d5db4570608fa1c37ad907dbf9f25a0a266921b44120214f16b41686

SHA512
c885a13219186dba9029af2e92e5b4b5ca615f2c730d55e05ff4fd25c7acef4275d9a2753b7e6ba487cab30ee920628076e5237c3db51dce5cab968a69a8e76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53707fd6c75affa36505ad418cc64e5a

SHA1
61c891949675754fd54269541e249e67f0c0a0e7

SHA256
6d832a900e7af4c43cb0a8525c71005abd08266e8ca10dde38320b4891c46afb

SHA512
0786c8c97b2f3cb9700343bbc5061d6f920197a93f65f202a91cc22c264f41902c3c086cb8fdf1dab5b7a65c060108fa4ecf81074378223ba7353a0285c5f8cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2abd8c2ab5c95818578bcc946cd86f61

SHA1
d5fb21076accad67f87fa998e58ec80a51825b21

SHA256
4856185bf539d3310b0cea26acaec0ae796522da2d47395ea473b15fb09c6f19

SHA512
57221832d38f02958f1be079156bd63fe2b34578fc91eba53b498b524fd5d1d39f30f3e8bf29100dcc2b1814aba9746cbe75e387bb9e53a97cf146e7f4e622a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93d8ed84c2705830f8c74c125e999a9e

SHA1
750304f6b8cb0b0ba295182d513dbbe852ace3a5

SHA256
f19812324d83107c338b915eaa75e7726e97125a0d7a6b845ac51c001055e12a

SHA512
dbdb8be5282e87efde9449a5b1927475ccd9f7d882fd51c88189f9c1149891e07c622d1370a958c904fe50d4bfba69b0af5cb2c3b168d011b2ac39bd368e19b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2d0d9c9d27db4eaa97c719a94d62f36

SHA1
e67ec1f588de8b69514b15c90da54075e5c9e910

SHA256
1e54e6da80d9e828b78fb22321b68681ab1a955e8c8ab08a888540e290808bb8

SHA512
d51d4da3a50feb2a34da9984e290520e11c364dfbd1fda48129a73e51ca1d01e352f9c0427218d12a88da54e18c46d3676924248a5439ba76ce0e5c5f1c612ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1ed1134dec560bb1f98d8b988f103b9c

SHA1
42a96bf589c4ef2fe0523890072c0daa4bc60bae

SHA256
ab2b89e95657462e89807d80097513a8d8297b1ad84bc0d6b4d04f9bf014be8c

SHA512
19cb2b37179462631bc96059ef4714a554bce403ddad88dda0a93ff220e82fd466c9969dd7a717d53dba93c616d9af972b685ad9875d86049e31e98195598455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
61e84cfbe21dc4c913b971b1b197306b

SHA1
7429f01ac5778bb2891a52f784a81aedbc3caf95

SHA256
4f5d8e4030b75bcf6eb821208c7dd9c8f908068ae584c990be121146907b3233

SHA512
0ff589aa46ac67bac94dc77f698a0280a92fcf013c2537a16a9bdf7e9f9bd9a13c743a015a041a6cc00bc575dd536a1f4f2c61fcd2e02b6efe6372e4dde9739c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79f154ef53d3da5e56c89d9dee3ad966

SHA1
b1e99adf3384c6e3fc4c92c0e26bbf8debdcd496

SHA256
46d43c82c8d54e72f470a0c22941900ccc70bf617b02baad1d3daf917176dfc3

SHA512
b1b3e053768f7033951918d72d6d89ece17b939ce52f9cb13b0f518c1f3133c5ca05498a546725566aa1b1157cd69bc3a9784d92d0d362b08fbc3951a3d1a6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f200bb540effc59120b77d225a4ac5cf

SHA1
d318119c560a66fd1a90bea7913dab1715c74cc9

SHA256
f62e3649b2015a05e39fd5ad50f44b2c13a65479028ff086eb0c4b080da983f5

SHA512
0a079c1f7b8f8b7e7efad5b3d1062d7ca28d6168c30ba584402e6f735c522b4d9a81330e5f17cefab6dac0afb5db452250511a94823311020be2da8faaf554c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6c1e2691300f1c26659e30d88cff7e71

SHA1
c73efabcca1c4296f10bbf67ac202a7cd7a150f3

SHA256
a059d88c20193667718628c955c5ed5c7fc206b201a1e9e57f4ccfb3838cf34a

SHA512
ebf531be0ea67746159c8e166be039f7f275689be5045a27ac51373a88c29479bd3c0042c5302f06e12c574be070000689844ac468ccfb4f1c4b1d641061f526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
93f28e20baf2deb146e03ecd37f4ba15

SHA1
e87be148d832bf96ed98183cc40f2c81b678ab55

SHA256
6bc3b4db88a67c440ce5dc9731b63e306eae4159a5cf5477347a3e85f84b6f63

SHA512
6fc20d4fd8b637a0721253562582366be2fa30ad1ffc27c30fc676083854562a19b8d4c129d2fcc552c2040138bb60cd8fdf95a04e96f522343aa81dd250023f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5d57f27316d33d77d4a856c995c708f5

SHA1
c9125e88c3608fe98403496ec83b72836be89250

SHA256
d4362c5bcfb0c3daaa6002c7a8ad35784803ec0956957a26a721845f8d0ac1b7

SHA512
61c54d0a38d08d7d65abbee5ad38344eeac44876e36a98955733594ac2755d3afca2079edb8e9a0e15e49f25c5d541e1d8dfcd9db2aacb482bfae8d7066b8b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bdff7ba77eff23a4ee56ee098c16f193

SHA1
543c4a7adc39a2c8da1af81aff013fe653641752

SHA256
3b168c513ac448dd696b12011547c4901d34dfde28d703877b0bec81030615e6

SHA512
4f8da9e65fd01799e864d7c433ba0e61f1f0648a6fef631c50de6b70ee88501bd1b820318aa58ed5a92d684c028ab915d0e8993b1a043ec9dde2a9895ccc4845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b2fa5eebfa197bd21a0d672b44f57518

SHA1
5b89193c727ff60dbf60576db13eb807be6310e8

SHA256
aa2f5f20fabfff6fbee8930b72f5f6999ce669059f78e05c4a6ecaff9e71f6c9

SHA512
da2d68ec2b3d141edb84b2437b331052df8f1363ce8bfaa9258b9d0eb707017a24b5e4d9b63e0e7fb9e00c31f0bc78f9b10442b29b87772ac1d61908329a5f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b6021eda69e4b567f572c68d0158f47

SHA1
cf37cc2b9d23210cd37776ffddec5ff020b92a9e

SHA256
2f24fd004160c281c3311b880834e5355d511c260d6a1ed75a520c8396745f78

SHA512
b815c6571be671d262b6338c5ac8a752bd8dbcf76f714eebb207bd55d6a0d51f6d56c39f3ff3917b7ef045dc56cf60b08dcc2d023b2cdd33aea35f1b384a3c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdb4ef96fac5082e15cacfa2f74bf4c1

SHA1
a84c97b0d48ce4e685ecd013f1b9acb206a20c01

SHA256
1522ad05d450529d2a209feed75258063856103806236546f0cb38e16d8f7f17

SHA512
b88e63746afdc04bd22160d47fa45d581aa05bf429a54fefd9f4b0cf2244557892a6df73e1378c1042dc38aa19d2455ebfea3ffdb62c1e305926bd775738d5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01be04f7eeb82a667cedddddcf7ad7f3

SHA1
20797437e26c39fa81b14e4b27406d1a1928182e

SHA256
4a7617946169da1b597702cf9fea07d31cb97740865abf3cf0da1d2a54c2e1f5

SHA512
c58d3b3c9ddd43a25df0d2188225c85763d71f1a3dfb5013423b230d0013fd23b6179964e01f954c0fdaee28f13879fc549a7a639807d33fe9f4aff7e71948a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f1d44acc049b5d629edbac71e28f376

SHA1
94223c1f8c564ea419802f621846ace9963c36aa

SHA256
7ee8870a2bf6fc4722b61004680e78c28c525d9612029f3aa5df30f6a1bff43a

SHA512
28b8f28bd90c77ddea2c5e6e10a134966396cc39b99cf15b33c86fce97da348f140c33c83a1ca156c828c61320761c28934b3f32f0420b3ab512cd5b79b6480b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3132cdeee789df7dc0e9e8583e54f24

SHA1
1d318e5756f4d3f5e30e1185ba9e5f9b843b3d1b

SHA256
ece4a45af83efe8695681d50f02eb12cd28823a7c18c971cece5277e22a2ba8b

SHA512
64e8775860f94f7c4e7ff03a2be1069bdd08b3430474855b74e7098d24fcab1b750a2e94c04b615cda1313c23f9aa3be93bb29abcb5ba3d5f22fb9f8ebb80203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c1e2f192a3216bbb3818ce6441685ce

SHA1
c3ecb87edd8f0e42a2cce932817cb5f68b194df9

SHA256
e88258f8b46c7ede8727e74f88bf3a5673d7f5f015f3ce4c613a9929627adcfd

SHA512
dbb468b5ef6494a8774c219d73ebf0aaee26e8f5dee12482ebb873898b923094fb7a381409c65ab8e7258098bc50217ab1df29b85a02f452f074c69ba669aec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d83ef5c2042739b29e849abf10b8e01

SHA1
2b3854813b2d0215ae9c9ade02173d27dfa803b4

SHA256
a4ad207b45a3326cd4404eab1a46da6421e2a0a5c2c99c39a1581713d38f7ecd

SHA512
4b90aa0a29a89cd40adafe0c70bd68a23f77bd265d06c6601d44afd93e452681e49752bab6416fd534c42f95117fe8966a956eba4f9d5ce1ce31ff9ffbf5976b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a6ab1ed66633e8b0581410c054db11f

SHA1
2078d78b96a45f58ada5fe8a983bf781163aa5ba

SHA256
08aa1c83c43f81fe2ff53e1ab8fa1635c7bf20a5d4f77e141f94be72dd7843f9

SHA512
179bb07523b781e7802206c993fd6d4fdbacae18bb187b8c7a8a472282e553eb3bae3ce8b2bc471f6ec99eb546cd458a8443516dbfe9c729c5604162a2357260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
71b2ebb82cc3dfa385a1aa807577a419

SHA1
b242fa9af3bef78c42e2cee753696766ced3c8bd

SHA256
620fbe7ff685ca8ba9f32c35fe62f892331f0680026cb27b49426b18dc7e5003

SHA512
b73a5c02e75377dd0c32f662a8e2b7bfcc89e4ea1cb837ab9e4b1ac058ffd128cd6900be91833ee38d5b6cde852e26ba6eeb2c7897683f2129238f65c2796ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c70c1c68dc9d65151641bb2df180a64

SHA1
988b68927b3eae15b6f6005200bac8d7c6beaf47

SHA256
12890bbcc13d7303a17996f33591862d196064035de0a3eae85fb2fd726f738f

SHA512
911fe7267e0eae4f97c14d39388bf82fd15f84542c9795c9bf467b60d19c626e69780994e853b657fcb1755f4a2185a20c75117d04ea2e43e27843d519c5b771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
37c028179db25c60a4c47ceb6b3b6bbc

SHA1
845eb56436acdb13991269f259d87a80a0582c42

SHA256
6f7aa5e4339ccfd7bbcbb741f3ff3e8231cc9ac825e5cfad7c814c4009faa68c

SHA512
7791a9e4e96332261618e42d54417f3f307c355fb74b1a067ebea796dda1afc81a80c2edddd6b44f71689665b14f08497a558da6ad2247095fe7c0c668629634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a2e55.TMP

Filesize
201B

MD5
555db7a36e17fe4a88f4c7b6f0f696fc

SHA1
72cfcc49bcda5ad48de5991eb1f6b99d5c4f1b9d

SHA256
b8b1a06286c3dea36a894606e5b69ab1e9801d48bb4626cee46f64602cf57c7a

SHA512
87c39a55d203409af6b4506b56b316e5e96762e305abc9a4aec585fc9d95c296358c428b64584eb00325aff541f7d1fdad43f202618de4e5014269c822f6fbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cee42be4-7d92-4db8-a214-cc50bc8025a7.tmp

Filesize
7KB

MD5
99631f4beee44fcf10d1adcd46d32784

SHA1
ac427c563c71a291268c6079f1acc829d9ca5d49

SHA256
800dcd40da502761d01fc1d06a0cc4b2285ebcfab55c21558f4e5c66ffea20a5

SHA512
723d1594e6a391fdf4fa1426b414a17576abe3d8ae39a33c22533641af3a232a90f65a5cef00156516e52edbe91827a60f1671870131c8843abe58d2324d1012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10a80ad7528672946fdd8040a6fbab5d

SHA1
fc4008e84d4cddb1ea40260dcb1986534d770f0b

SHA256
4f58c5da2ac1d20f5d58d26214457b0132086b8a7ea1b100856032c9affdeb44

SHA512
17167c708928c6c17ab52380135125bb6464fa081c572db4f1e1a26d9a6e6a9fdd14ca5d054c1fac12857f373cf33ae3337e1350ccff29fc584abbb1c4dfc4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
83e1dc21adea132088f56a34aa602fe3

SHA1
eb501c5a0c096bccff7fb392810492075abbb339

SHA256
2187179a94d693206edb9e80866538d79064178c5b15c0d27f4f4046547d1b23

SHA512
135b6f431e20f69c3e1ece862e75f02965fcb04ee6102735fb94dabd8a0675ecf310f4dde485802eb167fcf6533273f328bfe6fb881568f77a38b1644c7ddc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bbaa776cb6e36c71acb6b42451de8712

SHA1
1c5b91e6c1e609b8b2a0838f2d0695ddbe420b23

SHA256
9cc47b55718b07000116b6b384daa1fcf7f6a5bf7098cf23f3988bf4b907c8c6

SHA512
40a1b823d60a1ad5ff575a8bef2882f5b08edfe5b8111f9d4e32151f579d24951f8640732e5b723ad5f7cf66cc756cb8805d618bf6964f1c17da6672f79e2140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e871f56d3e994755cf94666b6ebef5a6

SHA1
18fc663bd58ad422877d8a7b0d309be374393f17

SHA256
cf40b63d56386be450061716f7100caaf0bb4c1e0d4224136544ac7e33fcc46c

SHA512
c28552f0a64ed427cf26289be307eda26dcabdf12df770407f5814f06cebdb711ea32a74de836163d5e1a7bc762c1a7cbf68f5a03c9dade0dbcc830a2b7298fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c93fa2c621f90ae8f064ac0924a6dce2

SHA1
68dd19cca811656286cf024b361f84e8ec359d55

SHA256
00897658c3c63d7f1de0b6d76b29555f9ac54a50e1afbfdea60e537acf316f99

SHA512
b6e7f99091c12570abd2c18e07572ed10424e185630fabae7015da9afb21dc3807c843d6ab6ed1a3b76e69fe08ece7ef6ca1ada132538535d5c65558f8d1d16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4070241a5ad61f2c73a9034e2ce29f04

SHA1
f3ba9575da5cb76779101cc69aa0669f4405c481

SHA256
f9198fcc1904bad5fe13096bbbead08a8edce89bf4195314dd35423fd8a5d0f0

SHA512
12310078b43f13531671fa4ef1359a1f58025709bc196fc7b481cbe18c98ccbb737b8d42dc9525350d22de57353eb57343d41910202139451b9face342977e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
20ddfd6d3194b94a7ed7f5020a37582e

SHA1
dc0e06879d140d9cb5df4fbd3c1a0eee78c8ab15

SHA256
a477fe7066295faea57560b97174f3cb5ac137182870cffbfd239b9b64cda5aa

SHA512
e2fcc82b3951a112d7358500087417dde792972522534491a5895c2360b069316f31a115475ec8a5fa7dd32b982007493ddde0928833b1d4a1573715a6cf92da

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
de03d529fcb4dbd6508c3a99ba1582e4

SHA1
997534daf328b75e11df525e29a50ccc13718c70

SHA256
9323423baf8f0c00ace4f95ab8d4f0a4c13650efbc355d2c53703f72bb51088c

SHA512
daf62e40cccc71d75525e1f7a454dc5067c5d8ae4abb92aba039358254facf9520f03ef4be78179f834d2ea196d2bf3cc400e3049eb652720a225ec243d4b0c6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\chrome_100_percent.pak

Filesize
125KB

MD5
0cf9de69dcfd8227665e08c644b9499c

SHA1
a27941acce0101627304e06533ba24f13e650e43

SHA256
d2c299095dbbd3a3cb2b4639e5b3bd389c691397ffd1a681e586f2cfe0e2ab88

SHA512
bb5d340009cef2bcb604ef38fdd7171fed0423c2dc6a01e590f8d15c4f6bc860606547550218db41fba554609e8395c9e3c3508dfa2d8b202e5059e7646bdcef

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\chrome_200_percent.pak

Filesize
174KB

MD5
d88936315a5bd83c1550e5b8093eb1e6

SHA1
6445d97ceb89635f6459bc2fb237324d66e6a4ee

SHA256
f49abd81e93a05c1e53c1201a5d3a12f2724f52b6971806c8306b512bf66aa25

SHA512
75142f03df6187fb75f887e4c8b9d5162902ba6aac86351186c85e5f0a2d3825ca312a36cf9f4bd656cdfc23a20cd38d4580ca1b41560d23ebaa0d41e4cf1dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\ffmpeg.dll

Filesize
2.7MB

MD5
b41b5ca7e8cdf2669494ae42bf476eca

SHA1
47fe1078383d1f42b62b96bc2aa73e2dd529c3c4

SHA256
308d47179729e3e06f5153c26621bb67af12fca73a37123987176df5fe9be218

SHA512
98d6822f6a7be5c9b86b6d63140f5e1b653021bf666a8611a18c37202f77947676d8c5c59022d99721423d3799375210b46f25c795e62dc1b258fffcfb3f9d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\icudtl.dat

Filesize
9.9MB

MD5
c6ae43f9d596f3dd0d86fb3e62a5b5de

SHA1
198b3b4abc0f128398d25c66455c531a7af34a6d

SHA256
00f755664926fda5fda14b87af41097f6ea4b20154f90be65d73717580db26ee

SHA512
3c43e2dcdf037726a94319a147a8bc41a4c0fd66e6b18b3c7c95449912bf875382dde5ec0525dcad6a52e8820b0859caf8fa73cb287283334ec8d06eb3227ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\libEGL.dll

Filesize
460KB

MD5
961c060f241a7ae22e962c82d7803ef1

SHA1
0060b167e55db981c1588ca2074b8ca38b9a8153

SHA256
c8e8007d746df73edbf73cdff18c09bb756f43814978c84a28a72f95d0ac5dc9

SHA512
79539e0d0036124b59f94c6fec0c596e64c41626b9994ff7457f2f6b26e8f2648f93f63f6422c444eb3c8b803079f6ef1f52191980ea88de9d25c40b30547599

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\libGLESv2.dll

Filesize
6.8MB

MD5
18d62249e5bd4fa1f66c95a9ee9eb275

SHA1
4ea5d8344a8fc09ed2bda4d3034c3c8410c85e91

SHA256
3299de173b3e5ce2f69476b77d96f6a758b2ccfdf3ad811902e5cd511c6888ff

SHA512
fa29557836e56f981249ee8500a8271a7795cbe2a4afb6abbbd57e4aa26c6b731d151258f093643bbfa18cd9adf706a9e4d532481c62d713b7f1a1045301dc07

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\locales\en-US.pak

Filesize
115KB

MD5
f982582f05ea5adf95d9258aa99c2aa5

SHA1
2f3168b09d812c6b9b6defc54390b7a833009abf

SHA256
4221cf9bae4ebea0edc1b0872c24ec708492d4fe13f051d1f806a77fe84ca94d

SHA512
75636f4d6aa1bcf0a573a061a55077106fbde059e293d095557cddfe73522aa5f55fe55a48158bf2cfc74e9edb74cae776369a8ac9123dc6f1f6afa805d0cc78

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources.pak

Filesize
4.9MB

MD5
c7b17b0c9e6e6aad4ffd1d61c9200123

SHA1
63a46fc028304de3920252c0dab5aa0a8095ed7d

SHA256
574c67ecd1d07f863343c2ea2854b2d9b2def23f04ba97b67938e72c67799f66

SHA512
96d72485598a6f104e148a8384739939bf4b65054ddde015dd075d357bcc156130690e70f5f50ec915c22df3d0383b0f2fbac73f5de629d5ff8dab5a7533d12b

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app\icon.ico

Filesize
30KB

MD5
2ccb21858fbdc62789d9e18ed5e7322e

SHA1
2253434ae5c3516ff67f6818c2df8a3528a75743

SHA256
d3c681a3fbb12183eee42f00af9773e62f0ab1fdc4311798f8c7861527807b55

SHA512
6deb5b31d5dc19edd2bfb1e353d26b4ee10d1a273d83cec387eaf137333c432b8ed0552fd5382583ef7ed0dcc60b57106fe70e98d2f23e3397b36fb5b62c2095

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app\lib\main.js

Filesize
495KB

MD5
d1bbee38f184cd44322a0bbae13d6b7d

SHA1
900c2362ed581436a7e0b5210ae1cc2fba769ca0

SHA256
3bc4df185354269c757e4c31414ded23866a6e5bb880b07e2ba22e1314281863

SHA512
6ca51132ff3e88c97005c626d913d263a9ed383e64803f66a980ce57e92e3bba16b3008b87480818476cde5979efea6bc2c1edb1472517a93d26d1bccb75d0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app\lib\preload.js

Filesize
4KB

MD5
fa55c68c5f0b5a560604becb9df601fe

SHA1
0eeb7a10a9574238d6360ab895c78ddfdbca61ed

SHA256
317ea36e9119cd2024689687aaf927287213b5ec2909bb98c1ae87a01b49106e

SHA512
709da44b05879e4c1e8121e8c818e364bd6167d873529274d9ed63ea1b25a1ff4e9f501f11668a01677f9f610950a44b9fcbef99356d4c3cd9db51619d2dd9bd

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app\nativefier.json

Filesize
919B

MD5
217d133694c86bde075bafd82b343d6a

SHA1
a3b1c816acb73f091a42f055c8e2316d9719fd0c

SHA256
fc8b75f7eea7771e605da8f06a6f0405dc43dde25ce7bbbb42421beaa9852627

SHA512
94d0816671759c34323a1a28708abf8a8458a0659e76267d4d2a4d1babf37b590c22ac56b4f744035bb626d79c57fadc2278496ed83578e4c9e49a0af52ef9a0

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\resources\app\package.json

Filesize
593B

MD5
cdfbd0ac74fb865d4902846fb8cd6e94

SHA1
ac31eece29bf06d84099f6dffa3d532b8a78307e

SHA256
d6e438c788e336666265558453f5614e7eca00fac3762a8c95926f19607aca6f

SHA512
f782bdcc830b665d2b8c81073231b0c6fa8c186e2204926e2ca584e585f353f1e9d823cc44a0539d3b1121e453e6f6e975b0cae09d683e5f0ac0c2550e8437ff

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\v8_context_snapshot.bin

Filesize
713KB

MD5
1270ddd6641f34d158ea05531a319ec9

SHA1
7d688b21acadb252ad8f175f64f5a3e44b483b0b

SHA256
47a8d799b55ba4c7a55498e0876521ad11cc2fa349665b11c715334a77f72b29

SHA512
710c18ef4e21aa6f666fa4f8d123b388c751e061b2197dae0332091fbef5bd216400c0f3bca8622f89e88733f23c66571a431eb3330dba87de1fc16979589e97

Download Submit
C:\Users\Admin\AppData\Roaming\Kiwi X\vk_swiftshader.dll

Filesize
4.5MB

MD5
fcec6c6fbc34cfd9a449af66364da381

SHA1
f6016b721dec138d75e9d542f3e2210a673ad52b

SHA256
738fe97f7fbafa6524f11cf0cf0999ca3aef752bed44e1179d589aae92937ed2

SHA512
26527975979e58870c3c365b9ab432b4b3af88ed606673971fba009489db4482a5ace0e122b8cf67de075c37174c7c423ee8e219cfb4c9a331be66bb8af9edf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Cache\Cache_Data\f_000002

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
048e4222a50737a5385e3cd163b4e4dd

SHA1
cdd86714e55b33d7db0a2077b77aac3af18002b0

SHA256
df9b9dc035bfd16fe9bfd76991151912af772b9ce434051eacb45051c9ea2d89

SHA512
465008b5e5684860bebb63777572e1cce6675c7ca40010a2fb74cc699e319cb6e9d03327c0bd2d6c268331c9926dcc3a9e5349e52d07245303ca47b261b9a3d2

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
ff0e6befcc6fbe5369c4611a1c287a18

SHA1
afb1e87378d0497dc2f31527f43a15ceae73a2ee

SHA256
df07b86ec9ad54a442bf5791a745758f59abceaf805e2f30c1a36cada56eac45

SHA512
19929a28cd411cc8e09c36e45117a9affb7581a915522e6ea485286fb6d13e6283acaa51ec0881d734794dbe691acea437a331b129b57ea09336630619a086f0

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Network\Network Persistent State

Filesize
1KB

MD5
3d56d884a14d8eae36fa0ea82cce26f6

SHA1
bcdcff7288b7a3b2121105fb83b8e35017317c87

SHA256
11c7185917f39849a9d72a32998da19d2c387bc636be5ff3817bedec4b4de5ac

SHA512
563779d28a16d37f4db83a2c5dfb5015a7153d8f6cfa5dc890cca95f9a1ec2f0cc471f5df188c680eeac940bcbb912dc34d4c02251f387f135cf5740eba75b33

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Network\Network Persistent State~RFe5bb979.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\kiwi-x-nativefier-f28be5\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Kiwi.X.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_3364_BYPHQJBFGBFLLJJG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1352-3483-0x0000000074280000-0x000000007429C000-memory.dmp

Filesize
112KB

Download
memory/1352-3458-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/1352-3752-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3484-0x0000000074200000-0x0000000074277000-memory.dmp

Filesize
476KB

Download
memory/1352-3485-0x0000000074170000-0x00000000741F2000-memory.dmp

Filesize
520KB

Download
memory/1352-3486-0x0000000074140000-0x0000000074162000-memory.dmp

Filesize
136KB

Download
memory/1352-3940-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3758-0x0000000073F20000-0x000000007413C000-memory.dmp

Filesize
2.1MB

Download
memory/1352-3487-0x0000000073F20000-0x000000007413C000-memory.dmp

Filesize
2.1MB

Download
memory/1352-3750-0x0000000073F20000-0x000000007413C000-memory.dmp

Filesize
2.1MB

Download
memory/1352-3482-0x00000000742A0000-0x0000000074322000-memory.dmp

Filesize
520KB

Download
memory/1352-3625-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3456-0x00000000742A0000-0x0000000074322000-memory.dmp

Filesize
520KB

Download
memory/1352-3457-0x0000000073F20000-0x000000007413C000-memory.dmp

Filesize
2.1MB

Download
memory/1352-3460-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3481-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3459-0x0000000074140000-0x0000000074162000-memory.dmp

Filesize
136KB

Download
memory/1352-3744-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1352-3829-0x0000000073F20000-0x000000007413C000-memory.dmp

Filesize
2.1MB

Download
memory/1352-3823-0x0000000000B00000-0x0000000000DFE000-memory.dmp

Filesize
3.0MB

Download
memory/1536-1013-0x0000000000960000-0x0000000000C43000-memory.dmp

Filesize
2.9MB

Download
memory/1536-1035-0x0000000000960000-0x0000000000C43000-memory.dmp

Filesize
2.9MB

Download
memory/3864-1049-0x00007FF96BAF0000-0x00007FF96BAF1000-memory.dmp

Filesize
4KB

Download
memory/3864-1172-0x0000022D93910000-0x0000022D93ABC000-memory.dmp

Filesize
1.7MB

Download
memory/4184-1148-0x000001AB4E470000-0x000001AB4E471000-memory.dmp

Filesize
4KB

Download
memory/4184-1174-0x000001AB4E2C0000-0x000001AB4E46C000-memory.dmp

Filesize
1.7MB

Download
memory/4412-1122-0x00007FF96B420000-0x00007FF96B421000-memory.dmp

Filesize
4KB

Download
memory/4412-1123-0x000001A104FA0000-0x000001A104FA1000-memory.dmp

Filesize
4KB

Download
memory/4412-1173-0x000001A104DF0000-0x000001A104F9C000-memory.dmp

Filesize
1.7MB

Download
memory/5052-2058-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads