wannacry | hxxp://g

Analysis

max time kernel
367s
max time network
368s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
31-08-2024 14:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://g

Score

10^/10

wannacry defense_evasion discovery persistence privilege_escalation ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	UnifiedStub-installer.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	UnifiedStub-installer.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD556B.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5555.tmp	WannaCry.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 46 IoCs

pid	Process
408	memz-trojan_FLt-OD1.exe
2956	memz-trojan_FLt-OD1.tmp
2500	prod0.exe
2384	saBSI.exe
1144	rhsjp4qo.exe
864	UnifiedStub-installer.exe
1680	rsSyncSvc.exe
4920	rsSyncSvc.exe
1404	installer.exe
5692	installer.exe
2716	ServiceHost.exe
6828	UIHost.exe
5404	updater.exe
392	rsWSC.exe
8056	rsWSC.exe
6488	WannaCry.exe
5352	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
3632	!WannaDecryptor!.exe
2968	!WannaDecryptor!.exe
8100	!WannaDecryptor!.exe
8060	!WannaDecryptor!.exe
7256	!WannaDecryptor!.exe
5384	rsWSC.exe
7908	!WannaDecryptor!.exe
7556	!WannaDecryptor!.exe
1904	!WannaDecryptor!.exe
3108	!WannaDecryptor!.exe
7200	!WannaDecryptor!.exe
7920	!WannaDecryptor!.exe
8116	!WannaDecryptor!.exe
540	!WannaDecryptor!.exe
2924	!WannaDecryptor!.exe
7972	!WannaDecryptor!.exe
7224	!WannaDecryptor!.exe
3512	!WannaDecryptor!.exe
776	rsWSC.exe
5332	!WannaDecryptor!.exe
7296	!WannaDecryptor!.exe
2864	!WannaDecryptor!.exe
4364	!WannaDecryptor!.exe
7416	!WannaDecryptor!.exe
7152	!WannaDecryptor!.exe
7524	!WannaDecryptor!.exe
5308	!WannaDecryptor!.exe
1620	UIHost.exe

Loads dropped DLL 15 IoCs

pid	Process
2956	memz-trojan_FLt-OD1.tmp
864	UnifiedStub-installer.exe
5692	installer.exe
5144	regsvr32.exe
6188	regsvr32.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
6828	UIHost.exe
6828	UIHost.exe
2716	ServiceHost.exe
864	UnifiedStub-installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
169	raw.githubusercontent.com
174	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rsWSC.exe.log	rsWSC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-es-ES.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\emitter.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Linq.Parallel.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-fr-CA.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\checklisthandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\overlay_ui_handler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-bing-nb-NO.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\subscriptionexpirydate.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Extension.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Threading.Thread.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\resources\app.asar.sig	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1106062149\jslang\wa-res-shared-pl-PL.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\new-tab-res-toast-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\dataset.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Net.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1106062149\analyticstelemetry.cab	installer.exe
File created	C:\Program Files\McAfee\Temp1106062149\mfw-nps.cab	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-da-DK.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\transport_aws_apigateway_v1.js	ServiceHost.exe
File created	C:\Program Files\McAfee\Temp1106062149\icon_complete.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\core\uithreadexithandler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\nps\wa-nps-checklist.html	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\edge_onboarding\edge-ext-toast.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\he.pak	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\wa-ss-toast-variants-bg.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\chrome_extension_push_handler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\featuretrackingfeature.luc	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsEngine.Protection.Edr.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Temp1106062149\jslang\wa-res-install-da-DK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ss-toast-variants-cs-CZ.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-duckduckgo-hu-HU.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\snapshot_blob.bin	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\rsDatabase.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\preprocessors.js	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\dimensions\handlers\freesysdrivespace.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\events\formatters\eventformatter_ga.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-options-sk-SK.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\amazon_upsell_handler.luc	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-pps-ru-RU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-hu-HU.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-sstoast-adblock-fr-FR.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Collections.Concurrent.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\System.Data.SQLite.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-score-toast-nl-NL.js	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\vk_swiftshader.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\webadvisor\inst-top.gif	installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\hash128.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\rsClient.Protection.Microphone.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-ext-install-toast-en-US.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\telemetry\serializers\download_scan_ui.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-oem-ss-toast-variants-it-IT.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-FR.js	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\analyticstelemetry\context\msspstatus.luc	installer.exe
File created	C:\Program Files\ReasonLabs\Common\Client\v1.6.0\locales\et.pak	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\Microsoft.Diagnostics.FastSerialization.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.Security.Cryptography.Primitives.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\Webadvisor\Analytics\Scripts\transport_event_hub.js	ServiceHost.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\System.IO.FileSystem.Watcher.dll	UnifiedStub-installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\jslang\wa-res-uninstall-fr-CA.js	installer.exe
File opened for modification	C:\Program Files\McAfee\Webadvisor\Analytics\dictionary.json	ServiceHost.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages\builtin\women-on-laptop-features.png	installer.exe
File created	C:\Program Files\McAfee\WebAdvisor\MFW\packages_web_view\webadvisor\wa-ui-dialog-balloon.js	installer.exe
File created	C:\Program Files\ReasonLabs\EPP\EDR\x64\SQLite.Interop.dll	UnifiedStub-installer.exe
File created	C:\Program Files\ReasonLabs\EPP\rsAssistant.exe	UnifiedStub-installer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1968	2956	WerFault.exe	123
3548	2956	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhsjp4qo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saBSI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	memz-trojan_FLt-OD1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	memz-trojan_FLt-OD1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	memz-trojan_FLt-OD1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	memz-trojan_FLt-OD1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
868	taskkill.exe
3192	taskkill.exe
7764	taskkill.exe
8128	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ServiceHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ServiceHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ServiceHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ServiceHost.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\x64\\WSSDep.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	memz-trojan_FLt-OD1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\ = "McAfee SiteAdvisor MISP Integration"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-661032028-162657920-1226909816-1000\{0ED75054-129D-4D2A-9ED6-28CC7297CB41}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ = "C:\\Program Files\\McAfee\\WebAdvisor\\win32\\WSSDep.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{21CBFEC0-E728-420C-B4A4-A58AD2089ABA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e2000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c000000010000000400000000100000040000000100000010000000be954f16012122448ca8bc279602acf5030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2090000000100000016000000301406082b0601050507030306082b060105050703086200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e12700b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000000f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 0f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 1900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e0b00000001000000800000004d006900630072006f0073006f006600740020004900640065006e007400690074007900200056006500720069006600690063006100740069006f006e00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000320030003200300000006200000001000000200000005367f20c7ade0e2bca790915056d086b720c33c1fa2a2661acf787e3292e1270090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a21d0000000100000010000000e78921f81cea4d4105d2b5f4afae0c78030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	UnifiedStub-installer.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 719489.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 978982.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
4304	msedge.exe
4304	msedge.exe
4360	identity_helper.exe
4360	identity_helper.exe
720	msedge.exe
720	msedge.exe
3576	msedge.exe
3576	msedge.exe
5112	msedge.exe
5112	msedge.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
2384	saBSI.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
864	UnifiedStub-installer.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe
2716	ServiceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1552	!WannaDecryptor!.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5936	fltmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	prod0.exe
Token: SeDebugPrivilege	864	UnifiedStub-installer.exe
Token: SeShutdownPrivilege	864	UnifiedStub-installer.exe
Token: SeCreatePagefilePrivilege	864	UnifiedStub-installer.exe
Token: SeDebugPrivilege	864	UnifiedStub-installer.exe
Token: SeSecurityPrivilege	5036	wevtutil.exe
Token: SeBackupPrivilege	5036	wevtutil.exe
Token: SeLoadDriverPrivilege	5936	fltmc.exe
Token: SeSecurityPrivilege	6996	wevtutil.exe
Token: SeBackupPrivilege	6996	wevtutil.exe
Token: SeDebugPrivilege	392	rsWSC.exe
Token: SeDebugPrivilege	8056	rsWSC.exe
Token: SeDebugPrivilege	8128	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	7764	taskkill.exe
Token: SeDebugPrivilege	5384	rsWSC.exe
Token: SeShutdownPrivilege	7468	chrome.exe
Token: SeCreatePagefilePrivilege	7468	chrome.exe
Token: SeShutdownPrivilege	7468	chrome.exe
Token: SeCreatePagefilePrivilege	7468	chrome.exe
Token: SeShutdownPrivilege	7468	chrome.exe
Token: SeCreatePagefilePrivilege	7468	chrome.exe
Token: SeDebugPrivilege	8044	firefox.exe
Token: SeDebugPrivilege	8044	firefox.exe
Token: SeDebugPrivilege	776	rsWSC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
2956	memz-trojan_FLt-OD1.tmp
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
4304	msedge.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe
7468	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
5352	!WannaDecryptor!.exe
5352	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
1552	!WannaDecryptor!.exe
3632	!WannaDecryptor!.exe
2968	!WannaDecryptor!.exe
8100	!WannaDecryptor!.exe
8060	!WannaDecryptor!.exe
7256	!WannaDecryptor!.exe
7908	!WannaDecryptor!.exe
7556	!WannaDecryptor!.exe
1904	!WannaDecryptor!.exe
3108	!WannaDecryptor!.exe
7200	!WannaDecryptor!.exe
7920	!WannaDecryptor!.exe
8116	!WannaDecryptor!.exe
540	!WannaDecryptor!.exe
2924	!WannaDecryptor!.exe
7972	!WannaDecryptor!.exe
7224	!WannaDecryptor!.exe
3512	!WannaDecryptor!.exe
8044	firefox.exe
5332	!WannaDecryptor!.exe
7296	!WannaDecryptor!.exe
2864	!WannaDecryptor!.exe
4364	!WannaDecryptor!.exe
7416	!WannaDecryptor!.exe
7152	!WannaDecryptor!.exe
7524	!WannaDecryptor!.exe
5308	!WannaDecryptor!.exe
8036	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2976	4304	msedge.exe	81
PID 4304 wrote to memory of 2976	4304	msedge.exe	81
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 2568	4304	msedge.exe	82
PID 4304 wrote to memory of 1448	4304	msedge.exe	83
PID 4304 wrote to memory of 1448	4304	msedge.exe	83
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84
PID 4304 wrote to memory of 2360	4304	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://g
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff93c7a3cb8,0x7ff93c7a3cc8,0x7ff93c7a3cd8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe
  "C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\is-AQP85.tmp\memz-trojan_FLt-OD1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AQP85.tmp\memz-trojan_FLt-OD1.tmp" /SL5="$6016C,1573616,832512,C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod0.exe
      "C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod0.exe" -ip:"dui=397a1569-0be2-47f2-b50f-ef09823a05f8&dit=20240831142404&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&b=em&se=true" -vp:"dui=397a1569-0be2-47f2-b50f-ef09823a05f8&dit=20240831142404&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100&oip=26&ptl=7&dta=true" -dp:"dui=397a1569-0be2-47f2-b50f-ef09823a05f8&dit=20240831142404&oc=ZB_RAV_Cross_Tri_NCB&p=f4cc&a=100" -i -v -d -se=true
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\rhsjp4qo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rhsjp4qo.exe" /silent
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\7zS874BE569\UnifiedStub-installer.exe
        
        .\UnifiedStub-installer.exe /silent
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
        
        "C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
        7⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
        7⤵
        Adds Run key to start application
        
        PID:748
        
        C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        8⤵
        Checks processor information in registry
        
        PID:6784
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        9⤵
        
        PID:7648
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
        
        C:\Windows\SYSTEM32\fltmc.exe
        
        "fltmc.exe" load rsKernelEngine
        7⤵
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5936
        
        C:\Windows\system32\wevtutil.exe
        
        "C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\elam\evntdrv.xml
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6996
        
        C:\Program Files\ReasonLabs\EPP\rsWSC.exe
        
        "C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
  - - C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\saBSI.exe
      "C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1404
      - C:\Program Files\McAfee\Temp1106062149\installer.exe
        
        "C:\Program Files\McAfee\Temp1106062149\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5692
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        7⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"
        7⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.fileplanet.com/windows
      4⤵
      PID:4416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0xfc,0x138,0x7ff93c7a3cb8,0x7ff93c7a3cc8,0x7ff93c7a3cd8
        5⤵
        
        PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 2416
      4⤵
      Program crash
      PID:1968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 2416
      4⤵
      Program crash
      PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6468 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:7828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:7540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:7580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
  2⤵
  PID:7188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7736 /prefetch:8
  2⤵
  PID:7384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,13738042389854142981,10778948836542654104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7528 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5540
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 250031725114380.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3960
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5352
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7764
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8100
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8060
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7256
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7908
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7556
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1904
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3108
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7200
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7920
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:8116
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7972
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7224
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3512
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5332
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7296
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4364
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7416
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7152
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7524
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2956 -ip 2956
1⤵
PID:252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2956 -ip 2956
1⤵
PID:832

C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe
"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2716
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:6640
- C:\Program Files\McAfee\WebAdvisor\updater.exe
  "C:\Program Files\McAfee\WebAdvisor\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:8128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir "C:\Program Files (x86)\McAfee Security Scan" 2>nul
  2⤵
  PID:7708
- C:\Program Files\McAfee\WebAdvisor\UIHost.exe
  "C:\Program Files\McAfee\WebAdvisor\UIHost.exe"
  2⤵
  - Executes dropped EXE
  PID:1620

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:8056

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff91e99cc40,0x7ff91e99cc4c,0x7ff91e99cc58
  2⤵
  PID:7848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1700,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1752 /prefetch:2
  2⤵
  PID:8188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:7552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  PID:8084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3048,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3524,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3516,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:7308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4444,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:6104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4272,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:7296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4208 /prefetch:8
  2⤵
  PID:7240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,15134929528974795953,17545691084289120507,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  PID:5864

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6568
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2148 -parentBuildID 20240401114208 -prefsHandle 2076 -prefMapHandle 1292 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d046daf1-5ae1-47de-a23f-f4df6b062271} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" gpu
    3⤵
    PID:7352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eea86295-5d28-4253-bc08-055a9c244600} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" socket
    3⤵
    PID:7720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 1 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {185b9ba6-a68c-4a3b-9b59-4ece925d22ec} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:7216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1688 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3324 -prefsLen 22575 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e7ed9df-b632-443e-9e8e-5b455d55fa25} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:6944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 3 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 29248 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {391047a4-8ae3-4f04-af2b-a44a82313fcf} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:4024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4812 -prefsLen 29971 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b4eb538-76cc-4d7a-b2f1-a9b8a0ac3ed4} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" utility
    3⤵
    - Checks processor information in registry
    PID:580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4372 -parentBuildID 20240401114208 -prefsHandle 4412 -prefMapHandle 5388 -prefsLen 30166 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6df2da51-5e21-4fb4-80eb-2823bf0b264d} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" rdd
    3⤵
    PID:7876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -childID 4 -isForBrowser -prefsHandle 3336 -prefMapHandle 3848 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2996ca16-2b3b-40dd-8280-d03a4cd68723} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 5 -isForBrowser -prefsHandle 5572 -prefMapHandle 5580 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {039a70c8-9c9c-4718-99bb-9bba54e61666} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 6 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef001996-ca09-4748-84ba-da6d64ef8eb3} 8044 "\\.\pipe\gecko-crash-server-pipe.8044" tab
    3⤵
    PID:6892

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\McAfee\Temp1106062149\analyticsmanager.cab

Filesize
1.8MB

MD5
7302061b9fef9b697962b201c34e5081

SHA1
e891e1c0c3edb30c7a5fe80d9eb3b1de2633cedb

SHA256
4c8c9f3e3f90673b40072b4ef726327a4478f3e4dc2e9f00b63c9180e0b57e3d

SHA512
a4d8bda21818b6549e44496a87c39e95f5d771a9be1f16fef52596da11212f2cda72d322f2e6780adf0d6d37497bcbcb973276f41a042a33934d69df6cf18bbe

Download Submit
C:\Program Files\McAfee\Temp1106062149\analyticstelemetry.cab

Filesize
59KB

MD5
3b20debab96dddc93c792826cdcf50b4

SHA1
c98a2b9d0b38586eaca3bfc9a2ed1c70cc401283

SHA256
fbc497f43ea82692cfdfb71807755e157bc98727bb913937de0d520ba62c559e

SHA512
a0661cbe78628ffa42bac1062c0422f2a1f478e5921942b8bed442d0f8e51cac841c5096b6d2325beead287831d76968355f42e80efcf153c6a5baed32dba0a7

Download Submit
C:\Program Files\McAfee\Temp1106062149\browserhost.cab

Filesize
1.3MB

MD5
2257376648b413b2dcc07fe2cfe25e77

SHA1
67ddcf2748968ea0348b120d24095d6834d3fab3

SHA256
63258dfdc302b44c2ea87d4c5453032b063e510e6b1b757f8e79376c12b0cd52

SHA512
f7370a708baa39b6afa47ffb1c0be1a855461861996a5e5d0fef82d01501e3daf70e2a8b176671254093368b50a9f9819d43e83228dd7f553e650a266c5e1950

Download Submit
C:\Program Files\McAfee\Temp1106062149\installer.exe

Filesize
2.9MB

MD5
87b38d924c043adc0b3d09d632484a22

SHA1
134b18bdb24b989ca09fadfef39fb93c2f6de88f

SHA256
7ab30a366d5144494161f8672dd6e68ad6d5b786357e58e2d5077448205a9a86

SHA512
010dab4cf1bf0fb965ce195912f37034e49c9e970cf6262dd95b8c6ae8797232ca2ffde5f8cc14b967e27b8c1d68f1bfd7941bf128d24363c07dab12df15c119

Download Submit
C:\Program Files\McAfee\WebAdvisor\Analytics\dataConfig.cab

Filesize
73KB

MD5
bd4e67c9b81a9b805890c6e8537b9118

SHA1
f471d69f9f5fbfb23ff7d3c38b5c5d5e5c5acf27

SHA256
916f5e284237a9604115709a6274d54cb924b912b365c84322171872502d4bf8

SHA512
92e1d4a8a93f0bf68fc17288cd1547b2bb9131b8378fbd1ed67a54963a8974717f772e722477417f4eb6c6bb0b3dfba4e7847b20655c3d451cba04f6134c3ab5

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallUtil.InstallLog

Filesize
616B

MD5
8a0b93abf7961a386f153a4165e099f1

SHA1
388165bcf6100b6a6c69cc51693716116e4c4896

SHA256
e1eee4a919996c03ff2a0f0a3617e48bbcdf3c41c9535466de7a02fcdcae680a

SHA512
36972b5ffdde91754c3d2a336856f9bbe9f5bc7fded2420ae8f1ba66df905b0e189327eecc6eff9deb3df29c288dfb60aa16c8f9dbe501e449b92a67aaf5edac

Download Submit
C:\Program Files\ReasonLabs\EPP\InstallerLib.dll

Filesize
337KB

MD5
717d63e7989f80258d29de10d8460ba2

SHA1
e705efde0afe88a02ba6bbaa1fa69ce993fbd3f9

SHA256
210fd6f1cff7875a985d2e8e2e709b2f888b3715a41f1f414b5a531dc7b765d0

SHA512
5c5a2292c30ab4096b01918f556c5c87be23bccc8beda050695f702258778ed9a8fe2ac482b9d7d721af2b776e776e7ffa9ec7961d7cfb1e9535ee600409292d

Download Submit
C:\Program Files\ReasonLabs\EPP\mc.dll

Filesize
1.1MB

MD5
002960b0b7a0372ebd7575a700737c8c

SHA1
50d15e0f49ba4ad4a776a14845cdd353170e549b

SHA256
2564dcfd37ea80b43588fea00b6a0c5c02183b247ac898efd517e3ff045f3af8

SHA512
e2a3f3861a0eabf2e72aafacc367c6effc5c5be6875b75baa97fc8cf6dfd339c137fb8a6f3b0522c9796800d5e6ed6a11699abe896e86adc82050bf48d420ba9

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.Core.dll

Filesize
346KB

MD5
474ccefbb74f2ae94c9309891a6f675c

SHA1
26443edcb19fd5a2259371790e0153810cb640c7

SHA256
478068dca7fc676ed73d9f3f11389ae796a5bd8377d2fecdf740d3af3f071f88

SHA512
29fcd19e45c41de4ae1332c625444cb2f9c087afca74c39eb7357ac77219dcb2f795ce31868a3f3a34ca2b491dadf45905fce2d0fa9ddddad6237c7296d79fe8

Download Submit
C:\Program Files\ReasonLabs\EPP\rsEngine.config

Filesize
6KB

MD5
da40ddb78a86b1b8c50898c4fa4c4c01

SHA1
eb030be663a5806e21edb3e0e9f9f0494a8e1af9

SHA256
326b5e5a574b6a5bf8cdf3459868f15adc509d59446285403100a792662d478f

SHA512
2c4050487e4b394534bc7b3e5804786349003226ca8addfa58000f1fb82c76b82c3f8e8dfec5ee8e771d8e164f8a4cc61a93f93d6536ef44ef8923c9de41a459

Download Submit
C:\Program Files\ReasonLabs\EPP\rsWSC.InstallLog

Filesize
606B

MD5
43fbbd79c6a85b1dfb782c199ff1f0e7

SHA1
cad46a3de56cd064e32b79c07ced5abec6bc1543

SHA256
19537ccffeb8552c0d4a8e0f22a859b4465de1723d6db139c73c885c00bd03e0

SHA512
79b4f5dccd4f45d9b42623ebc7ee58f67a8386ce69e804f8f11441a04b941da9395aa791806bbc8b6ce9a9aa04127e93f6e720823445de9740a11a52370a92ea

Download Submit
C:\Program Files\ReasonLabs\EPP\ui\EPP.exe

Filesize
2.2MB

MD5
28ae7c94fb6d1f1998c872cec8f24d6c

SHA1
6fa98412fcf10b5e415f2ac0f56d7afb02961be9

SHA256
a2b6214df520913c4ad4a0962711d9334705f23ab9afac625b4a6594170ecfb4

SHA512
a156bfb052b08e1d1775579dcb28b71a803e1c66f38c96646e46aef5f3e770f9bb7fcbe4dc4c0149487da45db4535e68dca66041ed4bbb6c13a642e8a2f3533d

Download Submit
C:\Program Files\ReasonLabs\EPP\x64\elam\rsElam.sys

Filesize
19KB

MD5
8129c96d6ebdaebbe771ee034555bf8f

SHA1
9b41fb541a273086d3eef0ba4149f88022efbaff

SHA256
8bcc210669bc5931a3a69fc63ed288cb74013a92c84ca0aba89e3f4e56e3ae51

SHA512
ccd92987da4bda7a0f6386308611afb7951395158fc6d10a0596b0a0db4a61df202120460e2383d2d2f34cbb4d4e33e4f2e091a717d2fc1859ed7f58db3b7a18

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
094b345d95ad05cc16cd437b044449cd

SHA1
cbeee2c3871d736d42e5f2e366019070a1556eb7

SHA256
86440aa67bf368305680afa3ecab895788586eccf67e8da6f9c30fb14d28c37c

SHA512
10d5f42dbb56225b197e48727431bae8fd5f6a3174a16f08b6796a0ee651bfd60bc1658320eea48c3c1772a33ae2faea8a98c74c793bd700b52b90a5fada8531

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
12152384eb5a232418e4cb903dbc3136

SHA1
8bfa02a3a39c4b091aa2a986c2c8de3b4f3ec56e

SHA256
960f3624dff69583de731fe25736ec347410d9f89370a5939190677f2691f21e

SHA512
6774951c618028a8958a076bfe64a1a336230792a4894e9a6b6c97c96c0cad22bf72fb9985176b26715bc65a1d45b434eb489ceb87b14aadc8480a0f509105a5

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
1d4f14915876d82c376cebdc28bded0a

SHA1
2bf106fbb24af30cb2c639afcc5fcbb4e782472b

SHA256
96db8a621fb26f7e54b08deaf8e80b9d67e46d4861b6323af951ddf7cfccbfcc

SHA512
b70889dbd117edc4fe6590567d3e722ca59a405ebe13719d5821f7231163ff871a281c1480a549204944f174978ebe40862546aa1ef0d1c540890b01a46a675f

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
4420f2fadfffdafa74232a0d26cb165e

SHA1
475160871f197b3737c405b1d13fbac0ce8bdc18

SHA256
1e775bb98bd91c4eecd4ca21a606189b54298655dd15ebf8b50d9b576f69916e

SHA512
0d13b167d623812f148ca4a3a7caa8408215bc1e7dca14acfbe29285c03f62d25c4c0ad1989b48b1bf7fb7810bca302963c1e377d2f7cb0133a19a03c36ccdb9

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
dc17a10790957762c33adbe545a47c66

SHA1
defd9fb6e672ca8cbdfbcaaed8d059b050ecb9a8

SHA256
c596526053cc22afb2665cd1a2d79906b144c2e2eb1e2331c6f773efe27de1dd

SHA512
d3beb93925f83cf26e806a68c554ea3ef78b710ce1ec8cf9d4c1ab3656e253f73889ffdce5237deab43eea49cf50e72a51e3f92ad2a89f8c617c67eac0459aac

Download Submit
C:\ProgramData\McAfee\WebAdvisor\LogicModule.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
eb546ad2f9d7747bb0e93e7feaf15b6e

SHA1
40b27f7f19c03ca5390b368bc41d92f28a44e55d

SHA256
23f63b5e59e4cfa1a4f6a41e48a40b5e63ac57f07dae58b2f072f08a6348287b

SHA512
2198f6e894180e1b0faf2ada9053f0ce6733ab5852c59af34ea1da648209cffa9f14ed23911a36c6c7251bba8486bc81ca58ec8e6d34387e1e5d777a3a0aa113

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
840603ae58b4b503d1dee5445e5cde2b

SHA1
752ec5f3ee259567183e6a2628b47cdf84419420

SHA256
94a4f8a79ae7e410a63d3e5f14d0febe1526c5d80a9c0e038f6f29f3a578b771

SHA512
70a8dd0133f145a5f315eb5aa0e6a572322176813e9e6a8f91d142e843c853de57ec7e6779b536601eb54d52ced9148cf2890d25cfa28e6963368c9169c7bec9

Download Submit
C:\ProgramData\McAfee\WebAdvisor\ServiceHost.exe\log_00200057003F001D0006.txt

Filesize
4KB

MD5
574bfa7483a385cf3fced5fd163417b9

SHA1
2570febd1dc0fb28d8d1be0200b04041d2ce97d6

SHA256
e2bc155f78dc4b0453480827fc3cc7a891292780bdd32cbbb388b3a6137476a3

SHA512
0d2dd1f5010d101e5dbb92014d323197664dcb63fb64be910f54c05d4f0c0436f976e7490098722b79729884ebb272051daa238f9a2ef33e835aefcc85bde7b7

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
3KB

MD5
bf5295350c558a14d1068883b64f196b

SHA1
5f1d69d8c52c2e7af44b8748552effdbdca76fa0

SHA256
4a6b364a6dd1b80ab015e21de72860e69bc929af44247638d3de61c8139e1705

SHA512
8e06a0ddaee6ecab0f097ea58324e7b89f6fd94e1a1e88127180af8f5529cc3ec1a581c3cc68f5f54497a618384be5f341f22507589f9369f687bfd98a0f5e57

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
6053040edb1c201ecb5bed643d0b951c

SHA1
14599f1b27e0d1f8217c5c5dda10bf650ce31e8d

SHA256
63f122f9e63616f9d2c8c08e282e56e89063cde54dad2ce7a362cb365edb91f0

SHA512
d9de13eb96371e8c877abbda150776f7d14074239d25936a6516a419a0a9edf00486fd56c7e158a7686627dcf74f1cca5df944c2c66053435bbf93ca6979b980

Download Submit
C:\ProgramData\McAfee\WebAdvisor\TaskManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
33d249279eab84dc165c0589e981f6f3

SHA1
1c4a36a67fd07713c0a739129c9b694e55512246

SHA256
c6beab6ada52136357a78322e209ca17b892b5d2d22a23d757d63fa88ff07714

SHA512
ad5408da24191288095e0e0da2eb4fefd2231265c6051b30b0213bd975660b9c495690f647e752cd2e6976e154184670a4b6d9859fc394a7f5ac3997ec1d8c28

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
822B

MD5
2abe396420e548db205293c49778e513

SHA1
8ab55baf6d27e360f40f71dcb21233a294b78f2b

SHA256
93bff80b6c4dfffccc4a41a7a3ac8562f0e8b3b86cef7bc8bc4f42e2b38deec0

SHA512
694f33440e97062e385e72b71777457eccac2f389eda984c240773976ebada5f090e90e2a9741f2f4196531bd51160d4553404489f1da571e7a2fe4b77f48717

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
c9c7658ed738cbe013f215b2e97e9239

SHA1
0424934b7846a8a0a59bf97bfa9afdabfd416d46

SHA256
24189cedcbdc7adde75fa56a11d8891bf287e283824f3f0685640b7705520f82

SHA512
081a79b3a29d593ecbbc33b784bd8e450083f0ef4e3b2d2f0e2bdedf5305dc86e97f28ac2ca34f6dc08715f0e96ccd1be0e838db3cc8aceaacec3e2f3d95df54

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
0c46317c049ee2108bc9cdc76f1fe630

SHA1
4fdf88f7cdd15bb07e4a2861c8dadef3cf467b82

SHA256
abad4e31c3258e31bd8ff3d901173195c8cfaf4949e37902fe0f9a47e54019de

SHA512
5538911bd9a04c5d393b1b0e29808550e08dbaaad3e35524e12a57ee6bacf30c7921e849886ad01c6059329fdaa345bb9ee3c22543b1fd2a00f80fac12211836

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
2KB

MD5
1e406133b1088d5ab2550c1af0be8935

SHA1
ba75c51f6fb13d5a7ad24cf9d63ba9a2c0e554bc

SHA256
890db9265865f4ff2cb60ce9667b922bba074e245af0f3dd3bf8aa348e4d2e0a

SHA512
18dea20bb13355bea8652b5900d4cee2bf38a15fa7c571f265b2d5d4583e1d0fff0f966ad2814be3d8092849eeff8d93e8b749f182f3356e557f7c53179a4410

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
9516323803ae7a7fd4353286f4383b9e

SHA1
0a67fcb62710d1851c155bde0443ee97107d8f42

SHA256
22c1764f2f7df578a33f96f638481b66a3007a42241737577ace8fb10eda3a14

SHA512
a5033f2bdccba1ea8e3ed5afd32735fab6b6691415775de62447c14a67221857399eed97f1f830186f94cd4b25fb88030de3ab89ffcc839657b04ad0f5a4d1e4

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
1KB

MD5
d2a9103d65303e94cb3559997b6443eb

SHA1
6409ca72210e6fedd9da57fa7dc947768787aadb

SHA256
6c9426426263d5b32f4be255476d5f158e3532411b3882e9f671b42c877b0eeb

SHA512
f380976cf4f2418d27a2a1593734b149603090bf1bfb02e8e88cf6900b4b40382a3b915ba1ab0af987b6d26b3f9dd27a4c6eadfbff284a38ea1d9a96bd4e565e

Download Submit
C:\ProgramData\McAfee\WebAdvisor\UIManager.dll\log_00200057003F001D0006.txt

Filesize
4KB

MD5
3e0405d2da79eda6c8bc863e6f4ef21d

SHA1
21a02f994dcb28ba6cf7e2b2c57b97c04886016c

SHA256
8e6895b6adcca365b260c26e7ba171d1d9f96f2e5966b1cfe0161743571c2120

SHA512
0dcf342a7e882f35afca84c8cc894c4b76f8e4dd1bfb9c239e5b8775c2f94b7e01eb8c6a4f398799d0fa4805d68f85241b3a332df544342a1961c343148206d6

Download Submit
C:\ProgramData\McAfee\WebAdvisor\updater.exe\log_00200057003F001D0006.txt

Filesize
1KB

MD5
42e8fbe007dfac560700eb6431077f02

SHA1
70a7a2ff0d520b6cfeb689fc879eb04f5f593d2e

SHA256
172664a96bf8afd0ef9aec90fb29e8c8f8b9b9b7ea56b0585730879d75a5fe8d

SHA512
0824de181499c5ef27de0579e1d45d8e41def420e907381fc364adf5f00ffc3eab53356a31bba9e0cdbfa6fdece18ab101635eed0a824c544923d4eba91f2cfe

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
58d5ed9dab7bfc1710116f0093540d30

SHA1
dc576419b0fdd6edef66615d0df8f52d2d72236b

SHA256
263c3ccdcf25ee9b1a292902cd11a2744652da706ee629132db2a6d99f855f28

SHA512
d0d156bb177896ae8befb088047f611c837b818c539274858a66c2855ee2e2e963b84ec739ce37c5def601b5c3b0b5873f18f35ffbfe348f468137a6af229dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5665c5a3-c078-4945-87d5-c583fe3a6bb9.tmp

Filesize
99KB

MD5
c5bf81ee7fdff8fe43835c0ac18e5c63

SHA1
a79bcb0f299202744cbf9c831d893bc9e4d10f5a

SHA256
5633c8444567ad1226b8a4c9339596cffabafc1096a4a4a89c7c99787f0cab53

SHA512
d83e7e1ca8e6e975e7be1035670e21f92875ba96c345a1c12f5cf714b3099ca303e6fbd64dc5048a102fa2b414b094f3286fc5f5ad208fd18d7d489b716a1f42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7d7f534d2d7d1c29f5c5c4b9a630420e

SHA1
246882f63abf08e8d84e72c22ddc24a51d27986a

SHA256
29c2eec53dd0dfa9a6dc01acaaf9cdeba07e860586e3f43dadd49643a95d025a

SHA512
b397747d01f8f4ff61bdb3e1f223b1463a1aa8606a52b65a353747e485b9ccb2637f653aed8a38e46851cbb308f7391920a72a9a93e6a31134cf2dff14576a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1deb1b0218e30867f92fe254535a0490

SHA1
a6c03434b273d53b7074dc29d4f6dd464d1472cd

SHA256
6eb1197f0ad1544853f7b5312fa0a7eacabcf9b0271daeb68ffb1078fc1bd244

SHA512
5adbeafda2f62d34d054e9b9c905b73a6c3325ba33dd6eae5c8fb056077211f992c97bfe532f3d2aa0e71f80b015aeb3606b3e9930c8130f13857279f361cf8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f6ca9898275561a113603c819406df1f

SHA1
4798d5e03a0ae53a65ee272a4a730e902945af1c

SHA256
d115dd39b88357d2cc8873584e8e33b09139688c2fb54e90760132968fc9964a

SHA512
27f4780ebb88135554b64729f4f593785bf31aa26dfc0df7f5edf01b4fcb2213e181b93dc5ecca1cd6586ebf6b880bed8ecb0bc51800f63842e435c7cf38f8b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
69fa913cf458a0b1b5186e0927c88102

SHA1
2c2009a3533064de3225aa84389eaa86f1fc4c1e

SHA256
a2f92c914cc9f608058a97a4a1f8af321c8fc4e93d2a55ee79e89c16385a978b

SHA512
0f8a8c5ecfaa71489decebe839073845bac65c9c2ffc2a9b1c02938edaa206c6a55dba6a5e309deb7550a8728c463ab65e698e45da3e7b1875ef8764ac0ebc30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
43KB

MD5
d9b427d32109a7367b92e57dae471874

SHA1
ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39

SHA256
9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3

SHA512
dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
26KB

MD5
1de4708beee6992745a7c14b7d8580da

SHA1
03bb2b7dd07f1701da7cf19b68dd23a2b298827b

SHA256
ba0ecf05941451756a9acfc7a913e64dd56ddee8f3811c8a9f1cdd0a219ad64b

SHA512
5d21cd342f3f70a7dc4bdd3b100e6677e74a7fec22af3ffc9d048618d1daeb5dc5e3f1511ffaa2fddf2f3e49b31351d7d4613f7f03e21d2b609483ad6aab9c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
97KB

MD5
c84289e7cc797f39db39eebc8fd9a6ba

SHA1
c77b9bf6ed3cd0caeca6381351d0ae5a23d45787

SHA256
a769f173353ad624b2f602a45147b0a6e3678089648fa382cc5297d363c98d9b

SHA512
51a7ad6d8529fe988e0e8b157d6abf02fdb92cca4734672015d98d209a944c91001f856b3f9b74eacb32be13c8f886681a258413a4a16019b997a47838945525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
45KB

MD5
15d63a1a8edad65edbc62ddb4e3e99f2

SHA1
03ab95328014fcd548ceb3d1e53de4038781a7c1

SHA256
3c834b90d39c9aaa58316dbe744234f3c8f3befbb15cb5aec32f10845ac73eb0

SHA512
8033f18cc7610f580654fd3286082ad84f4929959215940c14143aced64dc96f973a13f11e998273cf21caa333a9a0dbe30aeec6226663ddd05b2e8f66a715ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cbd8a32f40460c8a79ee5acc2aefa363

SHA1
d876b5cbb2fdb778e78a2332ceb683e2f6739ecd

SHA256
091db4ff5e19ff5616dcd1dc4845c3713e236ab2f664adf9c69c12207b97ff79

SHA512
9b8e741378976394ab0b94cb64d750312ab0b3d7879e01e83e436431b881c78931d7faca3850561a0db65f3797e46541b9a2e7440c0c00d3161602753acd7255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bf3ec99de3eb23955c8f912892b6642a

SHA1
944cc8f11b8fd65810e764a1a454909b33fcee2e

SHA256
001f78d22b48257ef0fe2b5554afe544b3b8e983d68f671c20b3af1aae949307

SHA512
08f4baa3c574f53e4495bd0d8ba8452e12f972fd445a80dc3a2e77baf82789a20b0162dccec73e0597d24c9c07a14f8513be5482489d9393f40d67ce81be1721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
96b599ced83b6c25f3575ea114f7f63e

SHA1
ca6c8a488d980b71c29452bcd395c40bcf2c8cd8

SHA256
c516076934327ec958103e792c4581e8f789f6897a181e37dd6965492d53af53

SHA512
5e58bc52724153d453c0be126b7022e992994b7b46d1407ce652e124e9df19ed88642a4cecdde80c0382f810588d55ccfc0928f6d3efb9bdbfbba2ef36dd1b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
568c9ad564d7d2185f50d5dab6b0978e

SHA1
5f04edc1501bb79c521a1002669f93d8d7dad351

SHA256
494fee12fc901f09ccee1769a668b259b0b131a7b67f50ee56d3f069619cda18

SHA512
00723a11ee79902f0e8b3f0a77dea5a7a999fa5e46117a778e7f27848a556376b89f022bd6965b771cfb4d60bf4813aa6b7b496ece2a94df852ced7ecae95434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4f650cc515121338720e120dd9b05c2e

SHA1
7692d2965b9d87129145d20b85f3bf0932492a7a

SHA256
b7af29540e0fdba0c2a515a9e442ffc30c6ff643227cb688fff2cd62ec062b01

SHA512
ed38cf69c7b19c58d812c692227ed4fa2dae69de66247b72761e3eb72fc9f34977f1e15cd3f5fbd6f60b5caa119e1960ec53d3f561b867bd8ee9183366b5ed73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4bd1c0d120dfc044d0d7cfbca52402cc

SHA1
b779a5508531d3a294a1cd67534b6ee9ad84d78d

SHA256
d108e30cc60b0f9f42d866ff260edf452c66990c5107dd040e741cf89b86b694

SHA512
b25696f6fb1fe45f88296f16027ba8da84ebb87c45984fd95ea2ce4258055da3f33319192d09d1d814576378a69ce9bdd18acaaaa9765f2ca2a239ce8eb0b003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
649a220c1b7b53609f9f1e2a478b64f2

SHA1
cf8a4514d0fd7171c0b29cc4edd4c80264efd6a2

SHA256
0575260d575787e69222cbe8c55bb27891da79a55e150c9b73179f4b8e4abfc9

SHA512
504cb009a2d84c88dafc3667201c486abbdfd99d3a29f481db32cbb7d2f7b39faad2250dab95b90e56d9bf3cddd53dbd80c0b86cbf403b126a68d7f983c37765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
83e1c964a8d6f42f028b384e88612044

SHA1
f98c206cefd8c952da1a61349dca3ab495a69fdc

SHA256
78fd663ad5748dcd6869d1d4c72bc71a672dbde267e824399bc828f3d6613146

SHA512
e6d37f5727dac31e30266b4b74f02b936f018ccfe5f602e204277e1530cdf645f7547a11c1c55dd951b837760c00814e2284a713b37eb876b4597d98d4684540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6285a3a0422a8e8f69e89c8b8f24fe42

SHA1
d66e88237160f0db7844c4b3270d353c6c4ce385

SHA256
2590946e6095626e26a88336e5ae346c9225771a4c51f53e779b54d72ac939c9

SHA512
bda92d70a498cfcf80abbfb4f3121090727ecbfde224e90ef87f6f532409f55999d4360402f2332cd4b9c58810ef15c2349039906662e501ea0cc000a682d9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
495dd8757e7095866efd8f3d59074160

SHA1
b64c522b7afae4c55a0ed0ddfb1d2a636b626f4f

SHA256
bc6ea91ddfb761dd2917934e4fb1d1178be11ae73f6a9ae530f8d375a3573574

SHA512
2a3cd5b7a4385653b069af24000cfcc3e6cf65c7da10bcc273c949e8a84a8d1679bff8d621448b5bbc17ab71d03d1b6dcf04351fe60d1c7da869d3b710410fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
72155e81f301fcc9aa970d81d065612b

SHA1
44bb42015dd64f3d6e98c509eef35b2d942a6e49

SHA256
2893faf368908d68ece23eea3581faede5eecd06a191cfc1c54ab1ddfaaa0060

SHA512
eb7d70e952e52228e42e3453807ae865f6e01123825622e357b789b9294c42730167b71071915ef3a0d8f86b427347a5e46e988cf10c9cd6f46a93963a0d4f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab0ade4a4b2de94038548589ed2ef2d3

SHA1
fb8edda7b4f71a99d248be424d6f6022c823ffd2

SHA256
5ebbfaaae8618b57887d4ca390d6d5f59526324f9c6ba51ef2c510593ffd413f

SHA512
fea6739cabb96962987bb1aab8b83fac9c1ef2794d9904a3e1253ddd68aa572d92d742b876ba38b6ccaea8a5ebdd23ee13ed29f56d08b3dd2697ce823c30df4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0afc9ad34314003b0a6e9ca970a3978e

SHA1
078758ee509caf1ea6384bdd539ff19f0cc6b8cb

SHA256
f21e21206e4efef827ed910979e2298390f907665b58acca109cd663ee438d39

SHA512
97dee46b50568890fb1927e1256b032e886a62303958eea3c190af7e79e4d6a38f20acb755c65943a86fa5e7f8d5769c75bba305b3ef5685da611fc45245cd2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5fa43e87313f30528c576bf7180ed623

SHA1
24c6bbad901042623598501ed5c52de9864a7674

SHA256
c84d6f8c1d1d67f4f2ecc5fe9c2f11b2f8c03d91871058b09422e03b2c532f0c

SHA512
75a392dd3c71f2176bf44aebe23496063512661e240604fa7856ad37beddbb2a58c510e684f2ba651105996db4aa32aecd3512c20ac7bb6fc8a062c5abaf8880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
567a284bd568272350f5688760c10f58

SHA1
735eddc228a3abacd42a42060f34509b1499dc5e

SHA256
256ba14ef7b61aa954d93073f1c4c0d911ac3018c89807afd8709d2546f552ec

SHA512
4e47d1801b5d72d9cde24010071e025692077fbe9cea627b955195e06f81eb893aa8baa76201d5e52d308e621af54b274b34a4c5f91bd3284898854aa323800c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bed2e64b1c24c0c0ea3c043985ce2a84

SHA1
874ad2eab0d491d8a2d21841e34bb85a5e8d37ae

SHA256
72326b7f74901c6779d0b3c85355995d28d0bd0caac65f2d917efe90fbae729c

SHA512
b875b49afe18bc99e6ec0eb040884bdeb0c0f51dbacc3e2d81040670c47e587bda9af97fc85e86de3259e89679f15ce7de743b427a12f3421c77bd8d6270b321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d4de09e6c41cc3db020e6df54a1f3fd

SHA1
dcc1058b0d634d84a4c30d1b8951f0769d2154cd

SHA256
1d0b962f9b5ab1d3d48074323f04a4942ccf3faf1005e6167d632fe12c207ce9

SHA512
c4f20f05f0e5bcc2d436c015e2c35ed015e42bb3773c021b34d07cf4ac5a1324d98473899f84d1e8c22d49162a5eedf22861562e461fe52daa154ef924422fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
172c42a0076b53efdd64dd91a29f7b35

SHA1
a1be21b55ececce7ba8fbf860161aad0318de367

SHA256
7b9f5098f7e19ba0acdb91fd0911af35e1c450e2cf3bd07a697347ce92a49a88

SHA512
924cd25eec130e3cf80eb8b73022162f639e14809962e52ed8e21afbdebbdca645d10a5f48077a0b600464d60cc88011691ed7c7049fb779ddf569f71c58e8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fefbaa5f6a986ebf9518dfbed31950d4

SHA1
f065da144884df0197cbfb5b2a0c4b107c037b7c

SHA256
069216046ffa514e4c5cf6918597edda1c67ac43d06f774774a4065918294181

SHA512
6bd2c125db495d4568131c8c5516850209d5f34f9b930eb26a14ea5e3f60c5ca5bf30573bbc8cc848e9babc2fd35cb8c79c8c188546c7c7d5c06d0500117df5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e277643f4f4cdb894bcf078dc44f39e

SHA1
3ad8b449efdb6a2bd3ba682a833f1c680dc52169

SHA256
14d9254220062708ee9f7957383177d78c084d970d78934a666672eb61edbcde

SHA512
7b4d593afa07b8b223b66a221685048474e1ec5ab25b30d303e00dcbb0afd49e719cf2d6b09d2794d21f7649771698fc52a4d1b474d5d446cd75c35b7e6dde53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
37fcbfd07b856cc4d299b62e449777f9

SHA1
82b6039c48732d878dedf82f963ee1997b56b5c5

SHA256
04fc455bb9ad81939be2a212b6ceb6fbabd5b42e6d9b93a2aeace6ec23fd090c

SHA512
9d00fd882b942f0c44acd6c2ea69ced8cb25cfbea0e647f6f5f7f559d83edb3816d0ecf67edb7fba1c243709b7711f38c9590b5194ed660b9689138090acf962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
47041176d9825323bf66fd8e821f64f3

SHA1
f507a4172390248a946dd1cc7a504ad06c13bbe0

SHA256
51a8ee0ea4cb2244120ac60d8f048d24dd01781dff217f28f33aee483761b4d7

SHA512
8c6440cb116694b3413c412b6a5fe79501207cb0e4e76aa24b6faa953ca56b008cd1415d5d4b2307a571122490fbe5dc169cd2787afe977c09ecf76d169aa0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8d2227d22ab4fbdb53284d7b38d2ae36

SHA1
0356165c51ab06e99065736760cac90b716aefb3

SHA256
666e5bfd0b9c2cde98c6e49182062b0b42ac024bcee18ea66794add114675872

SHA512
03b2d65fd8a839621d2f4ac14a78b279495e0c749c95b0c5d74a4200797498ed58f3a3a5ad09cc779f3a5503e481ba825793e619951e935772b31b3d6d43f298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fe9e6ab7f769a4ea5b212977c8d2de16

SHA1
38dda5447d57997c9578d29a77fa209078f20589

SHA256
a6cc18d0dd048af555b167aa20745ab7c070882ba9a5b617a7e18cb89c5a444f

SHA512
016bdfb05f8ab0d93a6f38436366754aeccceebeb67e004647406f1f3ade16d032f8f58086a771f9af41d5545a75dac396299d940c8804686db4311f8b477332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a48dc842d4c2eac7ecc45376284f13ed

SHA1
57ec5037516947f223adfefa95ab36e0cb42baa5

SHA256
3a33968f9c50c6d59a998a9d8d6710940a39f47d9dc6e41da8887d94d5a880ce

SHA512
114ebb535d23b4595b71e6be838dd3521badb1631e138512602cfdf49170bb63fb248a4e15ff468c2ebfe27e8b46e3e978a1daf1bb81c846fac7e6ad8b2bc369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58edd6.TMP

Filesize
536B

MD5
170436ffe9b23df9a99bff7c60080b6a

SHA1
6a5ef6d28ee4844d4ab3a402a743452697dacb9d

SHA256
9435a5e16ad8b7eecb0bf4c6c571d345bdec17899fc8ac51dcfeaa5aec20d953

SHA512
734eb14023d895f4f95a7b0aefe622abc597fd1e7134b3d79d7890054af04f462d5cf3033d3126e69fae0f9a4cc9555072d34b488d04a3d07125ffb833624f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8c80e57-7af8-4e71-bae7-53e4f9868407.tmp

Filesize
6KB

MD5
465f9db2fb220a25ded35f4027af6240

SHA1
b28748eae33a0c508af132c0ef0247f136e78607

SHA256
063e5ba9526b1f36554950978d48a62e5f7fb058001ca7dbd59c3ec91d0becc7

SHA512
cac18ec366bec4a07e797507ea425c026547edcf0fc313d5aad1bec1903d99587e6d70049297dc23944dde63581b86685fefcc58825036601e582c4f4c276e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cbabf51b626f0cc4e4bbe6f47269daa1

SHA1
7b1b0564a22fe55fda606a7cd1da87918aed54eb

SHA256
43a03edeb5379c1ecb638b05e26ee401af07a18a8a5bc334bdb55296c26c67c3

SHA512
ef20e5158260df38bbacc6831d747f7d4103987887b187f6769f18c9eac33c954539d2beccbd8fa724aba4d60ed791350b13564df030ca3130094e9185afc141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4c889c115186bb8721bb58ff3efe4839

SHA1
9ffa43e0dd0edf6fcb3d67c9b14fb5e7f275563d

SHA256
e34e412b0c5e0c2672addbb8dd3f6802522e557ec3ef0e99d375b4b59f3b7a0a

SHA512
6b4366982ebb31497c1c16684fa0bad013f475aba5a17f907a12dd6673e6c17488da6fe2d71cee31650e6ec4d05418e9a8f1668bf62475a7cb55b3fe7d2da8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6236cf2a73cfe22ae83cb62842da6e43

SHA1
51bf2933b488d71fea169e3156cea50f6cb29e80

SHA256
e8de82f5a42baab7d29669d38dfc5b5d6574ee0e9d6c56a916bce8a7bb0ce51e

SHA512
8fadb33c5d074076585d8a4f334d7a092dc7c36ec42e53233a8b9e4b7744e72fdc2af1cadd3d20bda0a268bc7f1380c0f6cb88e8fb694d5fd5cccb2a5e415cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45b3ffa06d5d35f02689bb7fea7f7327

SHA1
18b9fb3ec16a5da36b5175f75c4dcedd29bb6b59

SHA256
1d351094006bba501bbc42156075d312e9ec8fe5594fef312fadf2184a4147d2

SHA512
e727edb8ba595ad18de0d5ca1ed25d1f6f01690c0d71bc4990e54ca8440e29cc6f4c45cfaf1d4a5d6e4dc7a5198ccae3084a68d7cfeec7980706c82ae3b95d8a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\seoxtri5.default-release\activity-stream.discovery_stream.json

Filesize
40KB

MD5
40cba0077029cd2719c2d216ed75f143

SHA1
96911a94c757d8a6e324d1cfd332cf16c06af72b

SHA256
b27247648a9b15675935f108aaf6d7baf87e474a0b535c341e4c050079bd694f

SHA512
89e41c148b9eab6ca62780a0a330321757cbcda63ec736aa895a6074e57142bb08c14827b443ce92fa617cbd8ddf59b83dcdc2a4f33f0880523432a5f690eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\3e737db6-1e45-4287-b7e0-767a5e7c5ee8\UnifiedStub-installer.exe\assembly\dl3\c115c370\154af482_b1fbda01\rsAtom.DLL

Filesize
171KB

MD5
977069f5717eb555f4105cc90337e5d5

SHA1
fd0cc9cbd6cf41bd79f7b85733bf935343013eb6

SHA256
b992d4e90f5855d6e2b23d8f07bc25ce01d036adc9a0fb8fd20980b2a3f53b6c

SHA512
7cc613891799bf8badbadd9635c63ca6a53fd4defa041fa88644f047d66823289157280c5dfb05e83673c4f3f51c8cdba348d405dc0d7251d304536dc11deda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\3e737db6-1e45-4287-b7e0-767a5e7c5ee8\UnifiedStub-installer.exe\assembly\dl3\e8bf3190\cc350083_b1fbda01\rsServiceController.DLL

Filesize
183KB

MD5
61ee0fc6e3a5e22800dc0c508ceebc87

SHA1
d306f559b2e4c7064012dae675b7fc707e2e3b76

SHA256
ce8abebc4d0549e55068c7f4fcf66089b4c27275386b26c0c895eafd69aaa47a

SHA512
e87a5b34eb851f39a13744c8a10dbea70db8c78d4d2e6c6654bb955a1f748de5c7140a0e88d9ce230febb1c140e810ad66b88f1a49aa2742c9b4673aba3a928b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\3e737db6-1e45-4287-b7e0-767a5e7c5ee8\UnifiedStub-installer.exe\assembly\dl3\e9dd4d4d\cc350083_b1fbda01\rsLogger.DLL

Filesize
183KB

MD5
7d3da27f015487f44111e10bd51427d8

SHA1
0ad75a0c33ddb282f5c6935f13551e26e37ddf6e

SHA256
eff54120bb45593e9d71276d45cf0c0536fa6f274f4e9aa2ff097484e2a2a882

SHA512
809ca50574f052105edcc40484369ac8774d8d86b0e447d03f41bbbf0b47dec25e24426c6fbd07c02b9817d55654d38556655e32ec70c99987bace21cddef6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\3e737db6-1e45-4287-b7e0-767a5e7c5ee8\UnifiedStub-installer.exe\assembly\tmp\465QEQKT\rsJSON.DLL

Filesize
221KB

MD5
4ff4665dedb0cd456542d6496a0244d4

SHA1
9c5703ed072185723934a48e59dd279aa82dc284

SHA256
06fb55b0a5ac9908805867860b504ee183791088f99de5ddc02bf63b4322a86f

SHA512
28cc4ddb479a0c44d60ee12da8f9969e5bda822394ad65f16dbe5e637a6ab049ac52f4a729c3bac1725f97b8e95ee6c302a17ca10b040d5574df71ccff225896

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\Microsoft.Win32.TaskScheduler.dll

Filesize
340KB

MD5
e6a31390a180646d510dbba52c5023e6

SHA1
2ac7bac9afda5de2194ca71ee4850c81d1dabeca

SHA256
cccc64ba9bbe3897c32f586b898f60ad0495b03a16ee3246478ee35e7f1063ec

SHA512
9fd39169769b70a6befc6056d34740629fcf680c9ba2b7d52090735703d9599455c033394f233178ba352199015a384989acf1a48e6a5b765b4b33c5f2971d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\Newtonsoft.Json.dll

Filesize
701KB

MD5
4f0f111120d0d8d4431974f70a1fdfe1

SHA1
b81833ac06afc6b76fb73c0857882f5f6d2a4326

SHA256
d043e6cde1f4d8396978cee2d41658b307be0ca4698c92333814505aa0ccab9a

SHA512
e123d2f9f707eb31741ef8615235e714a20c6d754a13a97d0414c46961c3676025633eb1f65881b2d6d808ec06a70459c860411d6dd300231847b01ed0ce9750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\UnifiedStub-installer.exe

Filesize
1.0MB

MD5
493d5868e37861c6492f3ac509bed205

SHA1
1050a57cf1d2a375e78cc8da517439b57a408f09

SHA256
dc5bc92e51f06e9c66e3933d98dc8f8d217bc74b71f93d900e4d42b1fb5cc64f

SHA512
e7e37075a1c389e0cad24ce2c899e89c4970e52b3f465d372a7bc171587ed1ee7d4f0a6ba44ab40b18fdf0689f4e29dfdbccbabb07e0f004ef2f894cb20d995d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\rsAtom.dll

Filesize
169KB

MD5
dc15f01282dc0c87b1525f8792eaf34e

SHA1
ad4fdf68a8cffedde6e81954473dcd4293553a94

SHA256
cc036bcf74911fe5afb8e9fcc0d52b3f08b4961bcda4e50851eda4159b1c9998

SHA512
54ee7b7a638d0defcff3a80f0c87705647b722d3d177bc11e80bfe6062a41f138ef99fc8e4c42337b61c0407469ef684b704f710b8ead92b83a14f609f0bc078

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\rsLogger.dll

Filesize
182KB

MD5
1cfc3fc56fe40842094c7506b165573a

SHA1
023b3b389fdfa7a9557623b2742f0f40e4784a5c

SHA256
187da6a5ab64c9b814ab8e1775554688ad3842c3f52f5f318291b9a37d846aa2

SHA512
6bd1ceaf12950d047a87fd2d9c1884c7ac6e45bd94f11be8df8144ddd3f71db096469d1c775cf1cb8bc7926f922e5a6676b759707053e2332aa66f86c951fbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\rsStubLib.dll

Filesize
271KB

MD5
3bcbeaab001f5d111d1db20039238753

SHA1
4a9c0048bbbf04aa9fe3dfb9ce3b959da5d960f8

SHA256
897131dd2f9d1e08d66ae407fe25618c8affb99b6da54378521bf4403421b01a

SHA512
de6cde3ad47e6f3982e089700f6184e147a61926f33ead4e2ff5b00926cfc55eb28be6f63eea53f7d15f555fd820453dd3211f0ba766cb3e939c14bb5e0cfc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\rsSyncSvc.exe

Filesize
798KB

MD5
f2738d0a3df39a5590c243025d9ecbda

SHA1
2c466f5307909fcb3e62106d99824898c33c7089

SHA256
6d61ac8384128e2cf3dcd451a33abafab4a77ed1dd3b5a313a8a3aaec2b86d21

SHA512
4b5ed5d80d224f9af1599e78b30c943827c947c3dc7ee18d07fe29b22c4e4ecdc87066392a03023a684c4f03adc8951bb5b6fb47de02fb7db380f13e48a7d872

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\uninstall-epp.exe

Filesize
319KB

MD5
79638251b5204aa3929b8d379fa296bb

SHA1
9348e842ba18570d919f62fe0ed595ee7df3a975

SHA256
5bedfd5630ddcd6ab6cc6b2a4904224a3cb4f4d4ff0a59985e34eea5cd8cf79d

SHA512
ab234d5815b48555ddebc772fae5fa78a64a50053bdf08cc3db21c5f7d0e3154e0726dacfc3ea793a28765aea50c7a73011f880363cbc8d39a1c62e5ed20c5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS874BE569\x64\Reason.ArchiveUtility-x64.dll

Filesize
154KB

MD5
366231ab413d0ce3ad65b38b4ab3e4a6

SHA1
f52e1886563137a4124d3096d7ede5ce1cd1e578

SHA256
ed349b2e11a4c6ada76a72f2462e84551d5451088212a6e0d6fbf4904c8cc19d

SHA512
55b7e9ecab6893331f9cc045a4d60b971fb208ca6f2c12592de98f91389413f9bd5f50460f06507a9cff650b4cec73c61a633f30d1ba869b2ecc93c5a3aaaca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\80a0962c-e785-46eb-af09-2bc9df18a862.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AQP85.tmp\memz-trojan_FLt-OD1.tmp

Filesize
3.1MB

MD5
02b1d8ff84bcd4ebcb01156636269b99

SHA1
15ba86430b90264da7d9f2c05be57c56640d4ba9

SHA256
a6497ddddd577caefe5a39958a604f9ee4bfe93e9da285b147ba6fc6788e75ca

SHA512
640227915b78fb8e0fd8e6a6ca883e4ed4e3fa45524fca5a9344c067840b3fc11c7b98fd05351eabaee3d4afa21711dc0999175cbc154d13b02135706ef5b47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\Helper.dll

Filesize
2.0MB

MD5
4eb0347e66fa465f602e52c03e5c0b4b

SHA1
fdfedb72614d10766565b7f12ab87f1fdca3ea81

SHA256
c73e53cbb7b98feafe27cc7de8fdad51df438e2235e91891461c5123888f73cc

SHA512
4c909a451059628119f92b2f0c8bcd67b31f63b57d5339b6ce8fd930be5c9baf261339fdd9da820321be497df8889ce7594b7bfaadbaa43c694156651bf6c1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\RAV_Cross.png

Filesize
74KB

MD5
cd09f361286d1ad2622ba8a57b7613bd

SHA1
4cd3e5d4063b3517a950b9d030841f51f3c5f1b1

SHA256
b92a31d4853d1b2c4e5b9d9624f40b439856d0c6a517e100978cbde8d3c47dc8

SHA512
f73d60c92644e0478107e0402d1c7b4dfa1674f69b41856f74f937a7b57ceaa2b3be9242f2b59f1fcf71063aac6cbe16c594618d1a8cdd181510de3240f31dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\WebAdvisor.png

Filesize
47KB

MD5
4cfff8dc30d353cd3d215fd3a5dbac24

SHA1
0f4f73f0dddc75f3506e026ef53c45c6fafbc87e

SHA256
0c430e56d69435d8ab31cbb5916a73a47d11ef65b37d289ee7d11130adf25856

SHA512
9d616f19c2496be6e89b855c41befc0235e3ce949d2b2ae7719c823f10be7fe0809bddfd93e28735b36271083dd802ae349b3ab7b60179b269d4a18c6cef4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\mainlogo.png

Filesize
6KB

MD5
cd7f1e004d919724c4c5c5f377a4e2c5

SHA1
8ad9ff0daafa6ace17748cd6d2682993a95df073

SHA256
cb91c579311001831206cd0d044e8e50dfe2283920d952e510c1611a3f136483

SHA512
2ce555c46c5066b0e92964d3f88d94b5ba0ae5cf687401d2025ac10b77fdd46936b0302de4951bd9dc4fbbea59121d079d645caefc8ca40f2c1dc259abafd3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod0.exe

Filesize
32KB

MD5
6c922f5053dcc4eb7f273f770e4f5a3e

SHA1
cb7466e9d803dfa8b87adfab0fd844213e40cdea

SHA256
55ac387bd59791fa409c2937fd51d417f0daabf1b33bef7b6d6e6d8497c92ae7

SHA512
71ba8eafcc7554e93e49370660d07bce2cf16a7757a6d61074a8be3bb06aaf56ecac66923f131bd895b7eda598b8703f927275b8dec2b9a24b58c0d3b9e0939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1.zip

Filesize
515KB

MD5
f68008b70822bd28c82d13a289deb418

SHA1
06abbe109ba6dfd4153d76cd65bfffae129c41d8

SHA256
cc6f4faf4e8a9f4d2269d1d69a69ea326f789620fb98078cc98597f3cb998589

SHA512
fa482942e32e14011ae3c6762c638ccb0a0e8ec0055d2327c3acc381dddf1400de79e4e9321a39a418800d072e59c36b94b13b7eb62751d3aec990fb38ce9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\installer.exe

Filesize
25.9MB

MD5
622b9844fcad806c124c810c1b852b51

SHA1
123056b8bf5d09cba8a7dd3344277d1ba5500bac

SHA256
f67b177ee10e72a7865b96de49591441def17f7d33015e673d91723f8b447566

SHA512
f35ba8609990a7de7bd16e4cc2daf53c3f79badbb06c5770b8c39300624411e3aab743294d94ad987a4db7cb34447a85fea41344e5b5ebc2ed8beb192551ba9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UAIQ9.tmp\prod1_extract\saBSI.exe

Filesize
1.1MB

MD5
143255618462a577de27286a272584e1

SHA1
efc032a6822bc57bcd0c9662a6a062be45f11acb

SHA256
f5aa950381fbcea7d730aa794974ca9e3310384a95d6cf4d015fbdbd9797b3e4

SHA512
c0a084d5c0b645e6a6479b234fa73c405f56310119dd7c8b061334544c47622fdd5139db9781b339bb3d3e17ac59fddb7d7860834ecfe8aad6d2ae8c869e1cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwa86DA.tmp

Filesize
161KB

MD5
662de59677aecac08c7f75f978c399da

SHA1
1f85d6be1fa846e4bc90f7a29540466cf3422d24

SHA256
1f5a798dde9e1b02979767e35f120d0c669064b9460c267fb5f007c290e3dceb

SHA512
e1186c3b3862d897d9b368da1b2964dba24a3a8c41de8bb5f86c503a0717df75a1c89651c5157252c94e2ab47ce1841183f5dde4c3a1e5f96cb471bf20b3fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsjp4qo.exe

Filesize
2.4MB

MD5
64df0fb7ffcda3db58d931f738c9999b

SHA1
b39ece053bcd7971386f3c08403b8256d311d9bb

SHA256
633ba5cc8febebffcca2b0f9d83408a3aa2e5ab36ed2e382b0723dd4db483fcd

SHA512
241f994a88986f676c0ce67a6d8f844881e6501fd3f2948edf4b8720be443c9595ad6c3e130fdbd069ddc2003125f23c955de5e3790f9a481306cdb2c0dc7afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir7468_200558870\4d469bf7-f0c0-43a1-9b49-74a29c7e2add.tmp

Filesize
3.7MB

MD5
1a134c36feb45ce55c57ba3646c9b617

SHA1
cec8338af5a1f3a4e983ce0c80ffbb82fc977e49

SHA256
af2d0d3cf17d2777ed59028f663a99c7e1260e0e3923a8339ae8965975c55727

SHA512
196573b32fec9c7c892a21c836f260f4d2a4fb5f49552facf01c1d66d52b3e1bf1c897e39a1752b63d43eeb6e42151fd7513e2ffce1b2195883eb7356c99657f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir7468_200558870\CRX_INSTALL\interactive_balloon.js

Filesize
1KB

MD5
8811c08dba69f3dd5c1be93169bd13ba

SHA1
e00f8bebcffecdad1a0efd4cf297989b5424cb14

SHA256
5a1312afd6924fa1ddd84e14e420c13cb94980886a3fee322647e29a3a7325fd

SHA512
872cd6836cf9d43c9a6e7b3cedf75fa3b81f907ce322f90b6d80f5b07c28ab6ed8b70d7ff6fc2a673535c499d695ae3f2d82ee9e144e15b66cec6b78074e3708

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

Filesize
6KB

MD5
0b76c46bf93437c4d45916f0ffffce99

SHA1
dad098158aeb3c5a3ef93ab0fef06cf60465af80

SHA256
16376bd950ffd6a577cb70093e2d916f948d598a2ff6eb6bb50ca1032b72953e

SHA512
93a2246b35ef46bd90fbe914b6f77b6019c2082af6d5b77409e24b9d2781a22db42ec5fb09a13dd0549b42dd7527e5bd42e82cb217edd8f893d51bcde5e46231

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

Filesize
8KB

MD5
fb0c20b6515082c2423b4996254c2b50

SHA1
0e426dc6ecb2dc6bae2c87b9655be3d0599cb7b0

SHA256
1a3aec607f4a1068ded47b4cd654df8e964dd8dccfbcf545f1d198a3a77aa540

SHA512
8fbcac0bf1fa705d1fc5140f1519587509b848408e713cbd5e55a65d0c39f335efcfbd35b970216456a5639141a9b9188d1a29ece6f39d7ccc9545958cf837b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ebc0960514b7d3d5ee1ed1cf4e8e1bcd

SHA1
6586bd3a736ea9894043cc2ad2676834e83857b1

SHA256
7ed7d8811eecbb86a0b3b1b5aa7846958a4a8c8cdbd4c341dbd20ab5ab23f73f

SHA512
14a5853871c585ef65f702f3da05fbdae8f25e1ed9db9cd6ebef183992791745297511abf1f82eb7270e888740f2fdc0c9e6ff1ce15d82ac450afb28d9ad9c1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
795e11e6875b137193d99ae004f46931

SHA1
41e6810182fbfb202788b11a347e64f06243e8ac

SHA256
135e96b271040764573d0008dc3219d6619f7fa50a4a0ff2f6df5ae86a661c3d

SHA512
52b17fe88436f8ab87e0aaba8ca9c263e5bc350af5c9e455ef24a0615e49cfacd328f664bc82f2c30ec1fbcab22613268dffb4779690237770d3843def88a3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d3da368f01f4c034d3547cb0712f2a05

SHA1
fb490568905c2165164aabb2044d1447c43ed1a9

SHA256
13883a0a42a204b2c70da200989e8476ae9e5b6f35adb73693c8d3eacac7350b

SHA512
840079af89b7fa16351a348d10163d3d02fa9baf733f87b505f3d2b71d39048893428b62c39fa50e8bde6b8ace8bab6aab91808878affb86a7d753ca794b0f35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\1702a257-1e5a-4960-b0bd-d2436295ffaf

Filesize
982B

MD5
423e2639aa3894f8be8b61f2f18c1ce5

SHA1
28f17c056f43bf6bc3092b1ef860c073920fe176

SHA256
9c0480c67b0004a726e7626302a7dfe654f85775942db7d4816514dea28cd8d7

SHA512
7c6e1b46a48cd0cb79026bb2504e7d4ad4956178eff42873b0cc9afa2b4c581e6aeb4a82cdea12ffb32ff69ee952a1fa1036c82c6c83ef36acac10e48cc65759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\30f1ac52-da08-421f-8de3-b5bdda8e3c9c

Filesize
671B

MD5
c9d06cdc62c8784b0b5e5127be6938e7

SHA1
34ddee5cbfa87dd715f765b8240ceefa1a3ebce2

SHA256
412e32847f59115451d2cfc38bc81e520349e2320be465414810e11c529587f1

SHA512
a9b2d2b7b9522d04905d466fbd906a09372b6e8a224f51f19e7aff807d8de0810559a13528393d41418cf07a0965f3b0cffa2193b83fef6af0c0c95ab01b8fee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\a747cdd6-3857-4762-9c36-68e660b24dd2

Filesize
24KB

MD5
0d82ca0f288ccb7a5bf6c0344e8a2125

SHA1
356c8db000ea3afa25b8ba1879e40c02ccaa894c

SHA256
176dbc15d95d2032bfc84a3a9669c661838ad81e072d9d2db17d268a8eb7adfb

SHA512
f138d73a004f3e61c8f1584e184adaa122848d5a9dc22ed7d833003fe57703f355d96edf84d11635f045d1fa6b826b16578eab06821c76aa2532cc61a3c180bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\extensions.json

Filesize
37KB

MD5
50316c389ada442b133f534676955311

SHA1
2168df45b6632f0f596098566ae8cad3466be3ba

SHA256
b6b556826431e8181c64e44333d2546ed4bef1fdf9a7503ed5d860711f386a3f

SHA512
9b62fecd7000a00476ac8ae43bcd029b80af826571c5b06aa7406d19e55b85210a91c6a97fe487c78032ca7b1157206565d576bb0e083539df49190ddb103b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\key4.db

Filesize
288KB

MD5
641f6aaf32af27c84fd0aed96f750bf1

SHA1
6d220bb2af0c0b313de63705b89743d395fb313d

SHA256
e2db5f2a7ae3e03cd856c7d13cf4b4a0aaed625f80d535f17289cfbd908c3dae

SHA512
ac2e41d797af212eb6e3a19d9de8764dd1df2c7a27dde38346345a703a4572c4aa5cf3dd8d5ad510cbf8c856a84d82b7167fa2904f8fb8eeb3956a66a2348757

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
10KB

MD5
8e1a7ddcdcf399de6541009b3ab0d83a

SHA1
2bc1aa0ff128dc1a371daa2b68c1ad1451625580

SHA256
0e03d0d75d04edc00fda44fa3833439d527d6a9436de2f4d35fa22c09f313c6b

SHA512
a7208f82cb206d76d3395cd0bfe304967c80538971f11ab7777a8cb13690aa3c0cd85fb068ceed87db75a0daee240af24995f72adffa23b5059f99467caea86b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
12KB

MD5
b169a84e287aa4de5ac6b3f4c8003454

SHA1
3f2508627cc82c918c604aca9d0b35b15fc84b86

SHA256
4fedccdfcfe87bdb23cd2016aa92cfcffa1050c55a8c6ca0d7a8d28413150763

SHA512
3fa2c74aac7818355156bfc6a28ba12a368a7cb252009529bef3dba18dfe96c27633b05f2d274bf4aa6e3989af112231c0f5fd8803e9a0a73f82fe4375d585d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
11KB

MD5
9a11b2b70784cfdf8fbb0ad5905865f2

SHA1
5da8b32ffa894a24720388a6804d77fdde33e498

SHA256
60386a262eb9c5d68f5d471e2ba5399e3d2a6b90aefadc3f72f16ca2dc9fcc1a

SHA512
41abfc2db26ba5aea152cc975a463588fdea3a9891944db78b1b6e281240def6c2481dc7029a5561cc90135a0072816c5060a470267110bde3eb29f88ee57258

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
10KB

MD5
7ea63728813d0f242bccea786e150937

SHA1
bdb32a848412376231f103d574052dabd4215e0f

SHA256
a21ef2147d749066b0c05dac392b1e0f8e64c3cefa477c6544fe557e2b43d503

SHA512
867da805ad5d86cb2f321d6d1291ccea959e181869bab32c7e108d5d5d1c15965b3fcfe13e4d146522268625841d6e43f6d20aab8de4be458f270cf26b0811e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs.js

Filesize
1KB

MD5
6fec8fd53f8d8b66291a944055334c07

SHA1
50f01941c841c0cf8c24139417a1407e419565f1

SHA256
6baa4e956ed133d31ee4912ef52a739621c5a5b2503fe75f4479e288b620544e

SHA512
d8b927672cb57979fa0a6b0bd9f6c07ea25862d74733e7b4b6957f81635f4bdc1467bbde12962edef9c52848cff2371e4c8343dfa061d48c70cb06168b5b4198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 719489.crdownload

Filesize
2.4MB

MD5
bff06775461065b057ccdbff79fc2819

SHA1
3976ef48c5e71635f7de8147105f55291b7e04c1

SHA256
51f9879646e8b8f3ee49f7f0e250cf2c93b2ab9ee76e3f79778bbfbd3659f86f

SHA512
6e43fbdf8103b72350130f894a72bf3fa2e7def61ed9a2d1d38c6b8745f97e5b45a195da818edb2c453c1305d1e036c41a5da0d617d8f18130a123e77d764359

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 978982.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\memz-trojan.zip

Filesize
47KB

MD5
c31e52bf196d6936910fa3dff6b6031e

SHA1
405a89972d416d292b247fd70bbc080c3003b5e6

SHA256
8b47e773a782361209f8adacc8d6aeefb595e1c13ae6813df7de01c20a15c91e

SHA512
a5335c7d3beafdefa6cb1a459736615ca0151fa2e64dafb78de65aa4b924068ad0dc55c70a5317be19edeb899f94ea02e2e54279933b87828ebe86ef95f13291

Download Submit
C:\Users\Admin\Downloads\memz-trojan_FLt-OD1.exe:Zone.Identifier

Filesize
83B

MD5
df3fecac876525b279d58f197aafce68

SHA1
8115bab799e885f89ee074adedb25dbff59c6dea

SHA256
60e908904d85b8faa9a3f92f94a6afc095ea42afd59906ef6deb588333f11a60

SHA512
3eca42c443379adef99d13e72628fcf21ed4faf1831402c85ef52ac288ac051afca731362591346bd72f7fee2a43ae6cb9d49bbd3910c4363a8c8889d9d6ce2d

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/392-4786-0x000001C3ACFD0000-0x000001C3AD00C000-memory.dmp

Filesize
240KB

Download
memory/392-4785-0x000001C394600000-0x000001C394612000-memory.dmp

Filesize
72KB

Download
memory/392-4771-0x000001C3929C0000-0x000001C3929EE000-memory.dmp

Filesize
184KB

Download
memory/392-4772-0x000001C3929C0000-0x000001C3929EE000-memory.dmp

Filesize
184KB

Download
memory/408-745-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/408-427-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/408-503-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/864-3027-0x00000165249C0000-0x0000016524A16000-memory.dmp

Filesize
344KB

Download
memory/864-681-0x000001650B4E0000-0x000001650B50E000-memory.dmp

Filesize
184KB

Download
memory/864-4741-0x0000016524B00000-0x0000016524B30000-memory.dmp

Filesize
192KB

Download
memory/864-4696-0x0000016524A20000-0x0000016524A50000-memory.dmp

Filesize
192KB

Download
memory/864-686-0x00000165241B0000-0x0000016524208000-memory.dmp

Filesize
352KB

Download
memory/864-4681-0x0000016524A20000-0x0000016524A5A000-memory.dmp

Filesize
232KB

Download
memory/864-4728-0x0000016524A20000-0x0000016524A4E000-memory.dmp

Filesize
184KB

Download
memory/864-679-0x000001650B4B0000-0x000001650B4D2000-memory.dmp

Filesize
136KB

Download
memory/864-2951-0x00000165243D0000-0x0000016524420000-memory.dmp

Filesize
320KB

Download
memory/864-678-0x0000016523EF0000-0x0000016523FA2000-memory.dmp

Filesize
712KB

Download
memory/864-672-0x00000165096A0000-0x00000165097AC000-memory.dmp

Filesize
1.0MB

Download
memory/864-676-0x000001650B3C0000-0x000001650B3F0000-memory.dmp

Filesize
192KB

Download
memory/864-674-0x000001650B460000-0x000001650B4A6000-memory.dmp

Filesize
280KB

Download
memory/2500-501-0x00000237A18C0000-0x00000237A18C8000-memory.dmp

Filesize
32KB

Download
memory/2500-502-0x00000237BC2A0000-0x00000237BC7C8000-memory.dmp

Filesize
5.2MB

Download
memory/2956-455-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/2956-464-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/2956-558-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/2956-744-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2956-451-0x0000000004440000-0x0000000004580000-memory.dmp

Filesize
1.2MB

Download
memory/2956-504-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5692-1126-0x00007FF7950C0000-0x00007FF7950D0000-memory.dmp

Filesize
64KB

Download
memory/5692-1159-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1002-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1001-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1000-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1006-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1012-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1011-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1010-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1009-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1008-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1039-0x00007FF7715B0000-0x00007FF7715C0000-memory.dmp

Filesize
64KB

Download
memory/5692-1038-0x00007FF7715B0000-0x00007FF7715C0000-memory.dmp

Filesize
64KB

Download
memory/5692-1100-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1088-0x00007FF7A3F90000-0x00007FF7A3FA0000-memory.dmp

Filesize
64KB

Download
memory/5692-1007-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1005-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1014-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1013-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1015-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1016-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1017-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1018-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1024-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1105-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1140-0x00007FF7950C0000-0x00007FF7950D0000-memory.dmp

Filesize
64KB

Download
memory/5692-1042-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1161-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1160-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1003-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1152-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1151-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1149-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1148-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1147-0x00007FF77BE00000-0x00007FF77BE10000-memory.dmp

Filesize
64KB

Download
memory/5692-1113-0x00007FF7A7690000-0x00007FF7A76A0000-memory.dmp

Filesize
64KB

Download
memory/5692-1080-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1070-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1063-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1048-0x00007FF797920000-0x00007FF797930000-memory.dmp

Filesize
64KB

Download
memory/5692-1031-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1019-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1020-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1021-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1022-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1023-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1025-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1026-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1027-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1028-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1029-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1030-0x00007FF78A520000-0x00007FF78A530000-memory.dmp

Filesize
64KB

Download
memory/5692-1083-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/5692-1085-0x00007FF75F170000-0x00007FF75F180000-memory.dmp

Filesize
64KB

Download
memory/8056-4806-0x0000022E4B570000-0x0000022E4B8D6000-memory.dmp

Filesize
3.4MB

Download
memory/8056-4809-0x0000022E4B380000-0x0000022E4B4FC000-memory.dmp

Filesize
1.5MB

Download
memory/8056-4810-0x0000022E32400000-0x0000022E3241A000-memory.dmp

Filesize
104KB

Download
memory/8056-4811-0x0000022E328D0000-0x0000022E328F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads