wannacry | a83459a0f98b061d60198c239bbc1d8610dec184a4b246f8bdc853242e8e1b5d

Analysis

max time kernel
179s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

19KB
MD5

b843ff77570081fe11fcf04ceac174f1
SHA1

06c1de4c05e287a5e18772e53a10d1ef8e2991fa
SHA256

a83459a0f98b061d60198c239bbc1d8610dec184a4b246f8bdc853242e8e1b5d
SHA512

0d515d36d5e633276be50865eba64aa198a780bf0b28cf277e5b25edcdfae4ca673c66b57689ae5e2c74e0f267e2c2b88f52855e38c973e16b6220b6ac882f51
SSDEEP

384:kuemospa1ocy4i4lbGaTMvhpN5on2Byn2MFV1EY04TolCfH1xCejiw:7g1ocy45EawJpNenIyFTEY04TolIVxPF

Score

10^/10

wannacry bootkit defense_evasion discovery evasion execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tera Bonus.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1D42.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1D3B.tmp	WannaCry.EXE

Executes dropped EXE 10 IoCs

pid	Process
5396	taskdl.exe
5796	@[email protected]
4376	@[email protected]
5752	taskhsvc.exe
5496	taskdl.exe
4008	taskse.exe
5488	@[email protected]
2620	taskdl.exe
3600	taskse.exe
1040	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4916	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fnhuhmufqzho584 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
85	raw.githubusercontent.com
86	raw.githubusercontent.com
120	camo.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Tera Bonus.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{C618DE36-98AE-428B-956D-193BFFEB10A3}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3248	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 890761.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 118126.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	msedge.exe
1188	msedge.exe
4944	msedge.exe
4944	msedge.exe
3756	msedge.exe
3756	msedge.exe
1472	msedge.exe
1472	msedge.exe
1816	identity_helper.exe
1816	identity_helper.exe
4444	msedge.exe
4444	msedge.exe
5612	msedge.exe
5612	msedge.exe
4564	msedge.exe
4564	msedge.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
5752	taskhsvc.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3888	Tera Bonus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1900	WMIC.exe
Token: SeSecurityPrivilege	1900	WMIC.exe
Token: SeTakeOwnershipPrivilege	1900	WMIC.exe
Token: SeLoadDriverPrivilege	1900	WMIC.exe
Token: SeSystemProfilePrivilege	1900	WMIC.exe
Token: SeSystemtimePrivilege	1900	WMIC.exe
Token: SeProfSingleProcessPrivilege	1900	WMIC.exe
Token: SeIncBasePriorityPrivilege	1900	WMIC.exe
Token: SeCreatePagefilePrivilege	1900	WMIC.exe
Token: SeBackupPrivilege	1900	WMIC.exe
Token: SeRestorePrivilege	1900	WMIC.exe
Token: SeShutdownPrivilege	1900	WMIC.exe
Token: SeDebugPrivilege	1900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1900	WMIC.exe
Token: SeRemoteShutdownPrivilege	1900	WMIC.exe
Token: SeUndockPrivilege	1900	WMIC.exe
Token: SeManageVolumePrivilege	1900	WMIC.exe
Token: 33	1900	WMIC.exe
Token: 34	1900	WMIC.exe
Token: 35	1900	WMIC.exe
Token: 36	1900	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1900	WMIC.exe
Token: SeSecurityPrivilege	1900	WMIC.exe
Token: SeTakeOwnershipPrivilege	1900	WMIC.exe
Token: SeLoadDriverPrivilege	1900	WMIC.exe
Token: SeSystemProfilePrivilege	1900	WMIC.exe
Token: SeSystemtimePrivilege	1900	WMIC.exe
Token: SeProfSingleProcessPrivilege	1900	WMIC.exe
Token: SeIncBasePriorityPrivilege	1900	WMIC.exe
Token: SeCreatePagefilePrivilege	1900	WMIC.exe
Token: SeBackupPrivilege	1900	WMIC.exe
Token: SeRestorePrivilege	1900	WMIC.exe
Token: SeShutdownPrivilege	1900	WMIC.exe
Token: SeDebugPrivilege	1900	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1900	WMIC.exe
Token: SeRemoteShutdownPrivilege	1900	WMIC.exe
Token: SeUndockPrivilege	1900	WMIC.exe
Token: SeManageVolumePrivilege	1900	WMIC.exe
Token: 33	1900	WMIC.exe
Token: 34	1900	WMIC.exe
Token: 35	1900	WMIC.exe
Token: 36	1900	WMIC.exe
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeTcbPrivilege	4008	taskse.exe
Token: SeTcbPrivilege	4008	taskse.exe
Token: SeDebugPrivilege	3888	Tera Bonus.exe
Token: SeDebugPrivilege	3888	Tera Bonus.exe
Token: 33	5696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5696	AUDIODG.EXE
Token: SeTcbPrivilege	3600	taskse.exe
Token: SeTcbPrivilege	3600	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
4944	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5796	@[email protected]
5796	@[email protected]
4376	@[email protected]
4376	@[email protected]
5488	@[email protected]
5488	@[email protected]
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
1040	@[email protected]
1040	@[email protected]
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe
3888	Tera Bonus.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4728	4944	msedge.exe	83
PID 4944 wrote to memory of 4728	4944	msedge.exe	83
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 2396	4944	msedge.exe	84
PID 4944 wrote to memory of 1188	4944	msedge.exe	85
PID 4944 wrote to memory of 1188	4944	msedge.exe	85
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86
PID 4944 wrote to memory of 836	4944	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2316	attrib.exe
4992	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe899d46f8,0x7ffe899d4708,0x7ffe899d4718
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,17487905180390394323,11468412402879097087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,17487905180390394323,11468412402879097087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,17487905180390394323,11468412402879097087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17487905180390394323,11468412402879097087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,17487905180390394323,11468412402879097087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe899d46f8,0x7ffe899d4708,0x7ffe899d4718
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,12957220825323140950,15947529460213904836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3456

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3692
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2316
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 84601725595217.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5184
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4992
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5796
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4376
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5496
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnhuhmufqzho584" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnhuhmufqzho584" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3248
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2620
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Users\Admin\Desktop\Tera Bonus.exe
"C:\Users\Admin\Desktop\Tera Bonus.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C reg delete HKCR /f
  2⤵
  PID:3684
- - C:\Windows\system32\reg.exe
    reg delete HKCR /f
    3⤵
    PID:3676
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C reg delete HKU /f
  2⤵
  PID:5256
- - C:\Windows\system32\reg.exe
    reg delete HKU /f
    3⤵
    PID:5744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C reg delete HKCC /f
  2⤵
  PID:5316
- - C:\Windows\system32\reg.exe
    reg delete HKCC /f
    3⤵
    PID:1648
- C:\Windows\System32\tar.exe
  "C:\Windows\System32\tar.exe"
  2⤵
  PID:2956
- C:\Windows\System32\Register-CimProvider.exe
  "C:\Windows\System32\Register-CimProvider.exe"
  2⤵
  PID:952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
48358d033cc8b2d5edbc0f595504e470

SHA1
ad3f040918f156b9922da9ec3466306f227d5a83

SHA256
8796c566e51adf58237864b24a2dc661ce7ef6d67c9c9285b2af1594d30d86d0

SHA512
449f681f715baaa68a6153892ce5027fdbaf01dda95b8b42a25c7369550fb383ab809a3fb43a764ce5e9cf31696b875b691717be281389eb6b5cda28883cfbeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
70KB

MD5
4058c842c36317dcd384b6c2deaa8b95

SHA1
1085ddb12b29b79ffe51937ba9cd1957e5e229b4

SHA256
0e562969cad63d217848a5080273d1745dc4277d210b68a769c822f2fbfd75f6

SHA512
435a67024811360b12339e3916945b0639e2d9319e9d540b73e093848a467b030e91e01917b7fb804eb756dabce2fe53c2d7ea586554ee6cfee70e652a85924a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
9101760b0ce60082c6a23685b9752676

SHA1
0aa9ef19527562f1f7de1a8918559b6e83208245

SHA256
71e4b25e3f86e9e98d4e5ce316842dbf00f7950aad67050b85934b6b5fdfcca5

SHA512
cfa1dc3af7636d49401102181c910536e7e381975592db25ab8b3232bc2f98a4e530bb7457d05cbff449682072ed74a8b65c196d31acb59b9904031025da4af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
ea5397058cf416acc43ffec321de88d4

SHA1
ee9f61b93fb22376ce60b54955fe55569e12d4fb

SHA256
922885e29df2d8d9ffa1b82f319f0aee9548ec1035501e19976fe956a6ed8997

SHA512
10716d9cd86ead431533b09004d163db002af5de0825503b0f887b222bd628038f5e5de0b7f808e24a0b05028e7f67c39b2bd8757839ca75ba38190e5afda6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
91d04984c48331dd8e720f8cec618303

SHA1
2e95a9dbff60889e8df13c55208e4d905232f6e3

SHA256
741a94a4ae320c0fef1eb9ddf4fe21eea62a0c7c5acc13506e792851dd37b45a

SHA512
b9c75d174eefb83a71b01e88301adb1a235c132931a227801896b0b4f0bfbdcf205022e3101005db57591382d9d86ed6cf111946808e1566bd9b40027de8ad8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
58bf248698920ca5697541f9dc6a6901

SHA1
46ab893c7dffadab26683b55579f58eef6484ce6

SHA256
b9c3556e7f1da2e1d1816f3afa38bfda4f2c006d29c153dd24806dae59c1f809

SHA512
cd90c874d7c8e99d61e68737bc3e276e1981754b497e60f13c8c858e9209bc3f36dc1ff5022c96f55444a801a70eb5bad01650decff9b84fc4b59ed771b4151e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
4a8226f5ff7d19b63fe69ceb0510f1a3

SHA1
c112aa6633027ab31b754c567be49afe5d3041a0

SHA256
0800123ca0b90ee917c111884b2f3642ff53e68b1e839eaa478f337f8fef693e

SHA512
3a009b93c3e508a0bf724e2c7a1014887a434be72b497d420b2ddba08a8a39b81edee92eb749dc400b7f8f57b30a79fa39f208d960eeac9967deac380ee9fc28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
acb979cb9f89a2854168d7ba75467acf

SHA1
0722ae91203103de41993241acc20b77b11c8a68

SHA256
bc3c2d94be77613b581d254d0b78bc24dbad9888ed1917523a04d2e25653aeec

SHA512
02d205b1e04dd2652aa82cb5bdb624c94d0368c3b0aedb3d4b966df555bd348eff757534563fbc23ff760644d87bfe96dd34550bb52694dd08000b921ce06ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
586B

MD5
9111ee4094f31db338c52747ed2dd3be

SHA1
aafaa03d8ebaf8b0e76e7c064bbb828b22af0a68

SHA256
066c3208d1f8af903bcff199db1683df06deb4bad4fdec8cdd48497ffdc70240

SHA512
8649aaf5d4ffeac3812e4afa95e3277e3273fab74be18a6340ff00ed7391cc704c911c4f017d9f7db4eb98545b8f4423521aca5f971ec74f35a668ddbae172a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
483e6752766b03ed151b98a48e35a9e9

SHA1
38f0426dc1aa0c528ca2432aea90dd7e51b33e9c

SHA256
705739e1d412a0b63f6f473e77b621d40ead6618b9888b9d5f811a2a5d8cd154

SHA512
34e3ef181edfeb52902b1e42a6fc038f7e187ec116bfcf5fcdd9c674c3493ec29da4099ef99936eb888adf9bf41fba4aec292c104dd59b925b038367182a35ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
57cfd8b2a0c89a4311f2a91320973d23

SHA1
98f054ec42cad2d0e2ff9625a17a8ba1b6542200

SHA256
722aa66f19c2d16ea4e5749bfeb27f6ba514966ceeb3f71c43c744240cd4ba3d

SHA512
dacfe1e771bb974381e6c39bb9d57efe450afed220e4c4f885149682bc20c50b78cb3ba89e32c88e8ff8b28d8d6a8afdd37c3ec0adf974d9ed85b15ed6aa5a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
36a3d7e5d9edcd8bba872ac7a0933433

SHA1
ad5485bf9e1766e6856c1c678d60aa6fb05939b1

SHA256
5d07f8c751d8f745485f08053d2b4fe6badd71bdde169d949e41bfd5a05b6cb4

SHA512
ff1c52e4658f32ea8319abc0ec2bae8667e964343cd186479e7a1e03b2319178a0e6174937c94de8be91f6efe2d9abb87b59b3a843efde01367324e645c3badf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d61720c3bf730c7478a6ae2f8c036a91

SHA1
99af83c2c5a17481531858da283a4c353b56e372

SHA256
b461ff9862445e58db96c7f544049e461f22092769578a22bcf3d9adf354c0c9

SHA512
2ab5907bc7ef7a183ca2455204f23ff96984c8de96c189bdf95feae7275b4e643df39a4bbfc5912153d7cff79281723265c8d604f6044f5166f0aa26216fe1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c822bb8c0f867002aa76b5b44cb67c61

SHA1
36e99bf513bd8cd0775d0cda2f6ad4de51481fd4

SHA256
0064e3e750d88a114309232fead7429cdfc1a14aa2c1ea16defcff338ae2284a

SHA512
2b51808121a0ce604f1495c035776228b40ff8fd493eeab92512079369ea1b901b9709bf6eb3ac95b5016d3e061ab873541df591e08f03a61b9a6888a2623602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c4c2d89a90ed028b42316f1fa444e045

SHA1
59f52835cc2d0e494a5f6e524e6c9b9873d8f018

SHA256
54a31154053e001e40f485a7eb4b55f90360dd1e11acf67018a5d431d422c3d3

SHA512
7b76201e1763a656337df640e42cbe194a858444d10ac544d1676eac2752db07458cd768d25e0f1d750202fa971085c165164e310cb37d3059876ed9430bb1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a3b1906388cda2bc5c9adac0f176035

SHA1
1e345c69646c9f445f1669729611af4098e2256c

SHA256
eaf282a7b66e5f39be91f35ef6ddc2006578653eb984b5c1989aaafd47b2154f

SHA512
96002b76588c0fde33ed10ed8ebb92dd08415666af2d9dd53a76305f0a591d3aac0978adcb382b0a08185ec0b3736ad7e0e736e4bb50836a70f0514dedad2a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
845fd14a117f39890e8a51ce04890913

SHA1
2829a4db5081c8f9981945e0f005a782aca124b9

SHA256
287b603f676916bd4b66c281fdc923be6edceb539846c59a2e4f9f826a36a793

SHA512
a2194070c8f81eb386a0426cd78674602bf0d77e7b8abbd3bc4fdc2088e068e532fd7b9d7362ea3f289183a655db1f2f3183c45128171c2a851aca653f04fd47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0bd3f5bcf799a0c05d68a482dab88b89

SHA1
4df0f112ce7d32893da10606e9f6062a4c71bacd

SHA256
8f696fcd0b18a65ef9bffe48107d9ebe437fdd8fc8e614a70630c8db2b637dfd

SHA512
7fd4ed05d5ee42242c352db0cc233efa0b323a4422f7a3f6756c75c824b58c3bb4db690aba7e0a97d72d0472a3f55b836b638a79b95f77ed944c23a0acbdfc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98b402b8ea2d277d6a29459fc926fbcc

SHA1
7a9b5b68996af6a89f2e47df1ca003ba9187bb2a

SHA256
61b1945860cede9c634c73c52b899c6ce043a1c9928a201b1f9143fc57ba172c

SHA512
a4da7c899db385f38486ad6199bd3f471c2fb85114ad1748a94cefc58e8d359152fa167063728ab4514ce327c351eb964c9562851ec008cb0a66f67537d75f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ab92ba9114c4957451a0aa3d8ce14d8b

SHA1
8ab4c730913fb03dd06c84198de206487ab96e44

SHA256
b079ffe4e5022a7c34085e8cf5bc1600aa6e32714615e8cd29b56e54b98302e6

SHA512
1263996a1b030d6abdf88c789e9f863996d327a81bd9e4fcd450fb9f149cd6d6de38f3412b2970c9dba971d226e2441d92cf9f017a63b7a5a8e23fbba8ac32fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d905678cfef3f706024f1b61d2a034d0

SHA1
03e4c16b0cb664b7ba88b3c76de74b49111d5f8c

SHA256
575b550a2e5ead9309a197d6d8bfaecd25eb07636eccdd4fa29cf52d0aa91df3

SHA512
af5eaabaea540d944c73eb523dc0c98351af88fe4c7592c391ce3623454f0ff200403e999dd94b61efd31d282c04351dacf7f6ed7a5f0781442f278d1cfe3cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93b67fda91e8bf58e882fb78726c6c9f

SHA1
85e7db321bdff5f09253f30642e7c68c6ac29d78

SHA256
994c27a84d025c45e228b43daf57744f78187fb436c197ed93b6d0cb58c5597e

SHA512
328dcc7832fa1e3ed2c25dd9c47e26c08e39a6f0b6b9f2449b4487c4f73fe0497b2c60a80caad149433f7631edbb74c149296e7e0464e809351aa8b21292ea53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1625af0aa7ffa723b6bc0456f3e508c0

SHA1
ab4f68971a091862157aad262223580bd41b8fb0

SHA256
2759518db4e585d7d849b30f3f5c43ed1e945488fd3604960e583b5db4f75958

SHA512
f8c87d7c85d9dc0608539e7595047d591e3556c5c27ed39c16aa377523bad1f088fd563d8f73eb5007cca0b1abdc885f6a60212e2761eacb75f2164a4cbe182b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
110bca304015b322d551f7a02f626236

SHA1
10acb1ac095222c19956aaa9a1345846dbe772d8

SHA256
54ad03dfec12e8aaeae4fb2d14d4ed477264089580af5d7d443db99b6bc2b6e0

SHA512
43c27533c8152ccb07ee8e47590ddc05ffe80f9068ecf7d79c41ad148d293d3f1dd65b933c09043c2dd6274f28c509c2f31977ddd4a4d8b0b5efc9babbaac101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13370068724035599

Filesize
1KB

MD5
64bb82ee002ac03bd62f12230b9193bf

SHA1
2d79ae5678f060535dcb6c618f332d5a517d977b

SHA256
288d1bdf8d92e961cc9827168d3a270e5d6c73ab019780c9a0c6a1163b72e744

SHA512
b35d248e7051dae1db121761ad9f34a8add36837872897e85e8ce48791692f1241b918d5b2c36c72703e6d82367fc765afc9102081151f3e751eae5d55a951ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13370068724050599

Filesize
1KB

MD5
d47c433780db3bde4c568487ce15c889

SHA1
a39938490ed9d2d322e0db15a24760a1ffec970f

SHA256
837bd56143f4dfd57c24878014d0f416e725b03601db99ab22c0cc0a5f3d464b

SHA512
b9639283fb353a094b6d77a807a353e7849f92047031c5456206712d944cf37bf8d7e004f9633a873bba67e26b54ff7396cdc8baed51ca3ec474eeb5578ffbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
aae315d43d3b51a6a3f784c0631230b5

SHA1
58569e9956f40e2014cd42fd7688ecbcf9634bcb

SHA256
cc446f418569c27ed95a92341d6216ae4444bf4703dd1208576741051cdee924

SHA512
b47a4adcd628e8e3f7d0f47c9164f6845a2c216e6a89232e0e632325ac04812df910ee7c5843cc449278cff5b95678c6b1960a936bedc9b3776c9aa814e813b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
85da75e85deb9cda231c9a6893db6166

SHA1
ede086abc04869bb58270023852f9fd9a42733c1

SHA256
895ef8b502c7a130fe50c5c900deb3d138c0a0a56a6300971d530bd68887769c

SHA512
7de2d36e025f061d778ef34642424391808715d6f2e232fca79dd3766fd12243a7ea190806fa11d7095efa576ec4597b7c3928b858485f218dd95570884942ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b363b815fc6c448257abebfbbd68e79e

SHA1
bc9ba0a23740991a26894130e239c58e90b4db4f

SHA256
489f3d53dbb093c368f1fd9b9f039556651e24a0957785b38e82d577ed797ebe

SHA512
53ef02568ae6fa86d8e68d040f55f374e3b877b8ad94a3a6e33d6eba1b722737d4d62e71f24c6ff5d3d0f8990d5e761f97d999eb37070dc3cb97dd673ea43477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b2158a7e1990684a7acfcfc03116132

SHA1
dceb9c6820f2871a2529145c023f6b5ec4c07ed0

SHA256
740c458fc80a27d39ef20202b0a7b800616568c62576a520f7d76e9b8bf5aecc

SHA512
ca698684aad0caf0996c623171e9b615c7704515b0ff8ef8f792410d5f43703745bbfd02058a710c58b6e1c9f3cf6c52dfe9ec3f0a4546e8f29cee7ce45d679a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e4c112478ab355e39f54e491002232b

SHA1
2ea245896037b0d56c3a1d79e4caba32940a8346

SHA256
1695ce1473c93d1d9c4869b423f0529f62b391cdb250ea252796fd51a0d03f46

SHA512
c619b979e8fb7bfd138169ff127938866e0a4f38d05d2bd34520e3458fe140cd5c48b2aef4d602d301ed1cb193a9d7f00d6503dc96bcd70f943db22ca1170ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581671.TMP

Filesize
1KB

MD5
1172d247f455bed275b60c3e77f6b40f

SHA1
402417d853f5d215c401967940ee4f9197afe8f8

SHA256
c00aa2de783bee0994ff6197bc128e0a0dfeb7513153198eeeaef8afd9df54bf

SHA512
e6097ea0118e38eeefdbae351d3fbba03ded6ea908e0eb9d729203e90333626e8b91cafd5fd5031e4fc136104446046740e3319061b57bd0791a370fea104762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
b95b4fb7447d1c8057470434993ef5da

SHA1
d4c14f4b9e7b9b80e770a99275c449a954e33866

SHA256
5e9c4304e230fef1eafb7da0e37508a67041197c9d61ec44f5cc7e38953313b6

SHA512
ef619f13f709ad9be490e57bb081b9a1a97de87fabf1dacec4e3243ff182cb8cd07ebc00bb9f426b4e58580929105c81fb87a48a6cd2fc6a10d2d3a095baee32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
7f353d3469e739e6f8eb29dd009d9cbf

SHA1
183e430b64daca4d3bfbcfc2fd87ca04def4961b

SHA256
85acf1fc02b295d93b5600f0b3a2f265baa0d125f9fedf0c1958acc7a5e71ed2

SHA512
19111c15c40190acd4969bcaeccaf034fa93646275ee033454d463be3b593b4b92d802617665b0da4d7557d788cc3815d71e8e2d59aa56d47e31e322bb9d8628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
5f5dc2c386f8287c6d0acdf448e5e8a2

SHA1
8d49e8e33309cbb176fd6473b1f6f8501c57e717

SHA256
d56f16df19da3a68b62c5cfab662f71f9f838550bd21b1e16af84947e036e71a

SHA512
c65a7b062e0509f10e41c37f8ef1f43178bfff6597f267692bfba41158e0072cbb240107657df9e0472117a9771f4dc5d6a69563f3ecfb092e913798c4fe673e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
51a0f629447f4928f49e2c5fc3da9e12

SHA1
29b806fc08bc36b1ed403aefff56465d15ab9e6d

SHA256
b28d47ca246bf494d9bc1a9631854e0dee56b2b70f6ec98969dabb9db3f273d5

SHA512
e58602ed607a976674d738fea21287eab18354f4987761435ab78d8415b61d579a12d4b69e921f2088b20f281a77f9d4560279ba97c373f9b433fe8f712be3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
57dea07c841cffe3bff9435d80a49d0e

SHA1
11a5b76c436c37d059cac374ec7bf3faba0beb62

SHA256
afce70ee6fc6d9acb19e716cd7cc3532df299b125a0326e0469669ff2abb0a96

SHA512
9a602c4b17ee17b5be6129f66e4cb23bf3c4d1e2cac7cb9c021d515f72232ec6cfc2ecc4a20a79442ddd59ab741dbca64a6a4bcaa7a44384effffee5603fecc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
a26c7728bedbe0aa52846ac48f7117c7

SHA1
ffacb2af27c7b8c043833a35805b06cac5a095e2

SHA256
e659931917509ccad844a7665ed69efd3ad67a2242c2ba7f9192210d93b04019

SHA512
5b08db64fa0eb9e4e5faef4679da26688612e7b6e3b3800ddef41807d174549a30fbe26bdcaa8c00d612553838b3645bfd5cc81a2cb9cd016463b362ab3c169b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3cb966a21d75206f1f29c40a7db70484

SHA1
8ee21cadd01b94ac67446be5343111f624a0127f

SHA256
bddad8ad783295804d40d51a943171ee7a28e28f37b00383adb9465a498d77ef

SHA512
364de6b9ffd97138de7bd25c33dfd580797f318f7e3544ad0d5979eefdd7b718225908d494aadf8aa63a570840b861aa4bc864bb62a1f456def57ba59d346ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
921d9d6aec8505d3ea9b9e464e5b05c0

SHA1
dbb70abfea12244429f42390cd91172629f67922

SHA256
a64427cf2afd14b71ee032e6c321b2fd9f4e564a00824713c8e134bcb0f875ed

SHA512
b3ecdabe43ca3ab2df180fd3eeb83dec83b6cdca3ae1cdad2985ef08b1a06f0616a32b6bc9ab73678bb21c96b883776ea5e834b65de484f3cc4dec9b86dc234c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a0938bbcb8fed0eba5f8d0f383600b0

SHA1
0955fc7ced95469d4eb970735e1663922efeaa71

SHA256
c55bb57ee5eedd7a886e404b1fa97d8a553b9d6b2dc426210e24667339f74f45

SHA512
01cef73d00dd42267030994c2d9f47869b284a96a314007854d39f056dc80572f84042e245f6b9d54dda7c4f8fffe8017dd726b21a4f2df0d2cd59f2a2a53e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f84b1dc484daa7f8e55f542020b056fb

SHA1
302e1c08a648ad39c1a385159c8c87c7ee6e75e4

SHA256
ae9cb365593063af9cb97213bd69b597c84ced25c64b6e19f887b380899874bc

SHA512
fadf9de7f29ef5d18ce8a6e7a9480a3db432b64e72976aaefaad09c264fcda1930435a72d4d7f741fd9084cc36dbeffbb65886d850d60f95bc983afeca2dcd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
bca5f5e0faba0909157d24f0d726ee67

SHA1
ed088bc65547f9413e502c609b9e8bb482bba4ce

SHA256
bdc5c17b0971c0ce3f3856e963d960aefc5af12a73ffb80477d934881f17516f

SHA512
5181436d3576d7cfeaf8ba6922b3f11ca1a4619881e53e6d44ce10902fa32e4b1a899b68c84848280aff5ed84f3f7f944e1296969fece345fb5124ef826a1c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
0cd88e6621d206c21e07635fbb4e278a

SHA1
e792a013e8e24d5b799feb48ed7a0466ede81102

SHA256
2c474faf4e580a49309de039012dc123a289e38b9b686508d1e47e7db768e59a

SHA512
512bff603f79308ea48379492669e24a66d4ce39fcc9bf71bddf21d520cf2fa64b77e48e67da3d6067fa4df9b9326b899c83304bfab75582e6035256d5097d3d

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 118126.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 890761.crdownload

Filesize
221KB

MD5
1c09031ff6c99052c26361fce47745fd

SHA1
f2d799b7fddee23549baf33e646092b6439af0c6

SHA256
cee4c3c0e2133c38190b9cdc15e75b2e79b120750602f82cb4423c395e0ef392

SHA512
f801d47ed6c5daf23ee1f29192bf2ad04b7b619b17e4a7094ad612562645a88f762f1ebd6c029d38052e7d2049dc9b32f4bbe9202837f191ba8d575ccb55af2a

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/3692-1312-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3888-2784-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/3888-2783-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/5752-2778-0x0000000073B50000-0x0000000073BC7000-memory.dmp

Filesize
476KB

Download
memory/5752-2768-0x0000000073BF0000-0x0000000073C72000-memory.dmp

Filesize
520KB

Download
memory/5752-2769-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2780-0x0000000073AC0000-0x0000000073B42000-memory.dmp

Filesize
520KB

Download
memory/5752-2781-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2779-0x0000000073A90000-0x0000000073AB2000-memory.dmp

Filesize
136KB

Download
memory/5752-2771-0x0000000073A90000-0x0000000073AB2000-memory.dmp

Filesize
136KB

Download
memory/5752-2775-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2777-0x0000000073BD0000-0x0000000073BEC000-memory.dmp

Filesize
112KB

Download
memory/5752-2776-0x0000000073BF0000-0x0000000073C72000-memory.dmp

Filesize
520KB

Download
memory/5752-2772-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2770-0x0000000073AC0000-0x0000000073B42000-memory.dmp

Filesize
520KB

Download
memory/5752-2787-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2800-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2794-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2820-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2814-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2822-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2828-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2869-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-2875-0x0000000073870000-0x0000000073A8C000-memory.dmp

Filesize
2.1MB

Download
memory/5752-2882-0x00000000005F0000-0x00000000008EE000-memory.dmp

Filesize
3.0MB

Download