wannacry | hxxps://hypeddit[.]com/extremest/extremestdeadlyvirus

Resubmissions

21-09-2024 21:11

240921-z1tt2stfnd 3

21-09-2024 20:55

240921-zqmmzstcnn 10

Analysis

max time kernel
370s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://hypeddit.com/extremest/extremestdeadlyvirus

Score

10^/10

wannacry bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	BonziBuddy432.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1FF4.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1FFB.tmp	WannaCry.exe

Executes dropped EXE 11 IoCs

pid	Process
4600	WannaCry.exe
3980	!WannaDecryptor!.exe
4008	!WannaDecryptor!.exe
1276	!WannaDecryptor!.exe
2816	BonziBuddy432.exe
2980	!WannaDecryptor!.exe
4476	MSAGENT.EXE
4872	tv_enua.exe
388	AgentSvr.exe
4452	BonziBDY_35.EXE
4060	AgentSvr.exe

Loads dropped DLL 37 IoCs

pid	Process
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
2816	BonziBuddy432.exe
4476	MSAGENT.EXE
4380	regsvr32.exe
3204	regsvr32.exe
440	regsvr32.exe
3664	regsvr32.exe
3372	regsvr32.exe
4712	regsvr32.exe
3728	regsvr32.exe
4872	tv_enua.exe
64	regsvr32.exe
64	regsvr32.exe
4044	regsvr32.exe
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4060	AgentSvr.exe
4060	AgentSvr.exe
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
4060	AgentSvr.exe
4060	AgentSvr.exe
4060	AgentSvr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
159	raw.githubusercontent.com
275	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET9699.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET9699.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page13.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSINET.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page19.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sites.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\book	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBUDDY_Killer.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Jigsaw.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\j2.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvcrt.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb011.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ODKOB32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBDY_35.EXE
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSubTmr6.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\test.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb009.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\book	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\J001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\spchcpl.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.htm	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb006.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page1.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvbvm60.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t001.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp001.gif	BonziBuddy432.exe
File created	C:\Program Files (x86)\BonziBuddy432\Reg.nbd.temp	BonziBDY_35.EXE
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb008.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp004.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\P001.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\RACREG32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\registry.reg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\uninstall.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page0.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Intro2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\sp006.gif	BonziBuddy432.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File created	C:\Windows\msagent\intl\SET9382.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET934D.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET934D.tmp	MSAGENT.EXE
File created	C:\Windows\lhsp\tv\SET9646.tmp	tv_enua.exe
File created	C:\Windows\lhsp\tv\SET9657.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET932A.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET935E.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET9319.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET9688.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET932B.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET9383.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\msagent\SET9319.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File created	C:\Windows\lhsp\help\SET9677.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET9371.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET932C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentMPx.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentAnm.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentPsh.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET9383.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\chars\Peedy.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\msagent\AgentDp2.dll	MSAGENT.EXE
File created	C:\Windows\msagent\SET9371.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\mslwvtts.dll	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\help\SET9677.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\fonts\SET9687.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET934C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\INF\SET9370.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET9657.tmp	tv_enua.exe
File opened for modification	C:\Windows\INF\agtinst.inf	MSAGENT.EXE
File created	C:\Windows\help\SET9372.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET932A.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET935F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgtCtl15.tlb	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET932B.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET935E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET935F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File created	C:\Windows\INF\SET9688.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentCtl.dll	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File created	C:\Windows\fonts\SET9687.tmp	tv_enua.exe
File opened for modification	C:\Windows\help\SET9372.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\tv_enua.dll	tv_enua.exe
File created	C:\Windows\INF\SET9370.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET9382.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\lhsp\tv\SET9646.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET932C.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET934C.tmp	MSAGENT.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBuddy432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSAGENT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_35.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tv_enua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4880	taskkill.exe
4040	taskkill.exe
4164	taskkill.exe
4044	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6}\VERSION\ = "1.1"	BonziBDY_35.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FD9-1BF9-11D2-BAE8-00104B9E0792}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98BBE491-2EED-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F96-055F-11D4-8F9B-00104BA312D6}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\MiscStatus\1	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\ = "DImageComboEvents"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B976287-3692-11D0-9B8A-0000C0F04C96}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\MiscStatus	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A45DB49-BD0D-11D2-8D14-00104B9E072A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ = "_CCalendarVBPeriod"	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{972DE6C2-8B09-11D2-B652-A1FD6CC34260}\ProgID\ = "ActiveSkin.SkinForm.1"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D46-2CDD-11D3-9DD0-D3CD4078982A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSRibbon.3\CLSID	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\ToolboxBitmap32\ = "C:\\Windows\\msagent\\AgentCtl.dll, 105"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F59C2A4-4C01-4451-BE5B-09787B123A5E}\ProgID	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{972DE6C3-8B09-11D2-B652-A1FD6CC34260}\ = "_ISkinFormEvents"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ImageComboCtl.2"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00E212A0-E66D-11CD-836C-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F6A-055F-11D4-8F9B-00104BA312D6}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	BonziBDY_35.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF1B5D50-3C5C-48CE-B991-0E86D26F6F5E}\ = "ComProcTextures Class"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE2-1BF9-11D2-BAE8-00104B9E0792}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A45DB4F-BD0D-11D2-8D14-00104B9E072A}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSOption.3\CLSID\ = "{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE6-1BF9-11D2-BAE8-00104B9E0792}\MiscStatus\1\ = "139665"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlSpeechInput"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{53FA8D41-2CDD-11D3-9DD0-D3CD4078982A}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSINET.OCX"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}\3.0\0\win32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FE5-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\ = "IToolbar"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FDD-1BF9-11D2-BAE8-00104B9E0792}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EF6BEC0-E669-11CD-836C-0000C0C14E92}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\VersionIndependentProgID	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F59C2A4-4C01-4451-BE5B-09787B123A5E}\InprocServer32\ = "C:\\PROGRA~2\\BONZIB~1\\ACTIVE~1.OCX"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D4E-2CDD-11D3-9DD0-D3CD4078982A}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1533A365-F76F-4518-8A56-4CD34547F8AB}\Control\	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\ = "Microsoft Agent Server Extensions 2.0"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6B1BE804-567F-11D1-B652-0060976C699F}\InprocServer32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F55ED2E0-6E13-11CE-918C-0000C0554C0A}\ = "IX"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsAddressBook\Clsid\ = "{F4900F8D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.SkinEvent\CLSID	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FD4-1BF9-11D2-BAE8-00104B9E0792}\ = "ISSButtonBase"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E27A73-69F0-11CE-9425-0000C0C14E92}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Threed.SSCommand\CurVer\ = "Threed.SSCommand.3"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A1-C5AE-11D2-8D1B-00104B9E072A}\ = "ISSTabPanelControl"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8DB2224E-D2FA-4B2E-8402-085EA7CC826B}\TypeLib	BonziBDY_35.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ProxyStubClsid	BonziBDY_35.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5476	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 467998.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 401101.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
1364	msedge.exe
1364	msedge.exe
2212	identity_helper.exe
2212	identity_helper.exe
3968	msedge.exe
3968	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
4484	msedge.exe
4484	msedge.exe
4044	msedge.exe
4044	msedge.exe
4624	chrome.exe
4624	chrome.exe
2572	msedge.exe
2572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1840	AUDIODG.EXE
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: 36	3000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3000	WMIC.exe
Token: SeSecurityPrivilege	3000	WMIC.exe
Token: SeTakeOwnershipPrivilege	3000	WMIC.exe
Token: SeLoadDriverPrivilege	3000	WMIC.exe
Token: SeSystemProfilePrivilege	3000	WMIC.exe
Token: SeSystemtimePrivilege	3000	WMIC.exe
Token: SeProfSingleProcessPrivilege	3000	WMIC.exe
Token: SeIncBasePriorityPrivilege	3000	WMIC.exe
Token: SeCreatePagefilePrivilege	3000	WMIC.exe
Token: SeBackupPrivilege	3000	WMIC.exe
Token: SeRestorePrivilege	3000	WMIC.exe
Token: SeShutdownPrivilege	3000	WMIC.exe
Token: SeDebugPrivilege	3000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3000	WMIC.exe
Token: SeRemoteShutdownPrivilege	3000	WMIC.exe
Token: SeUndockPrivilege	3000	WMIC.exe
Token: SeManageVolumePrivilege	3000	WMIC.exe
Token: 33	3000	WMIC.exe
Token: 34	3000	WMIC.exe
Token: 35	3000	WMIC.exe
Token: 36	3000	WMIC.exe
Token: SeBackupPrivilege	4804	vssvc.exe
Token: SeRestorePrivilege	4804	vssvc.exe
Token: SeAuditPrivilege	4804	vssvc.exe
Token: 33	4060	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4060	AgentSvr.exe
Token: 33	4060	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4060	AgentSvr.exe
Token: 33	4060	AgentSvr.exe
Token: SeIncBasePriorityPrivilege	4060	AgentSvr.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: 33	4060	AgentSvr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
4060	AgentSvr.exe
4060	AgentSvr.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3980	!WannaDecryptor!.exe
3980	!WannaDecryptor!.exe
4008	!WannaDecryptor!.exe
4008	!WannaDecryptor!.exe
1276	!WannaDecryptor!.exe
1276	!WannaDecryptor!.exe
2816	BonziBuddy432.exe
2980	!WannaDecryptor!.exe
2980	!WannaDecryptor!.exe
4872	tv_enua.exe
4476	MSAGENT.EXE
388	AgentSvr.exe
4452	BonziBDY_35.EXE
4452	BonziBDY_35.EXE
2028	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1384	1364	msedge.exe	82
PID 1364 wrote to memory of 1384	1364	msedge.exe	82
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2112	1364	msedge.exe	83
PID 1364 wrote to memory of 2204	1364	msedge.exe	84
PID 1364 wrote to memory of 2204	1364	msedge.exe	84
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85
PID 1364 wrote to memory of 2332	1364	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hypeddit.com/extremest/extremestdeadlyvirus
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc66c46f8,0x7ffcc66c4708,0x7ffcc66c4718
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6604 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 243691726952295.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4044
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Users\Admin\Downloads\BonziBuddy432.exe
  "C:\Users\Admin\Downloads\BonziBuddy432.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3408
  - - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
      MSAGENT.EXE
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4476
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3204
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:440
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3664
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3372
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4712
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3728
    - - C:\Windows\msagent\AgentSvr.exe
        
        "C:\Windows\msagent\AgentSvr.exe" /regserver
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:388
    - - C:\Windows\SysWOW64\grpconv.exe
        
        grpconv.exe -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
  - - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
      tv_enua.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4872
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:64
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4044
    - - C:\Windows\SysWOW64\grpconv.exe
        
        grpconv.exe -o
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://bonzibuddy.tk/
    3⤵
    PID:740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc66c46f8,0x7ffcc66c4708,0x7ffcc66c4718
      4⤵
      PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,5970203277658446099,9719106629805581109,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb585cc40,0x7ffcb585cc4c,0x7ffcb585cc58
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3356,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,1326563737743814104,9437080032771527777,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:3668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4980

C:\Users\Admin\Downloads\salinewin\salinewin.exe
"C:\Users\Admin\Downloads\salinewin\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3160
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx

Filesize
336KB

MD5
3d225d8435666c14addf17c14806c355

SHA1
262a951a98dd9429558ed35f423babe1a6cce094

SHA256
2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877

SHA512
391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1

Download Submit
C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe

Filesize
7.8MB

MD5
c3b0a56e48bad8763e93653902fc7ccb

SHA1
d7048dcf310a293eae23932d4e865c44f6817a45

SHA256
821a16b65f68e745492419ea694f363926669ac16f6b470ed59fe5a3f1856fcb

SHA512
ae35f88623418e4c9645b545ec9e8837e54d879641658996ca21546f384e3e1f90dae992768309ac0bd2aae90e1043663931d2ef64ac541977af889ee72e721a

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE

Filesize
796KB

MD5
8a30bd00d45a659e6e393915e5aef701

SHA1
b00c31de44328dd71a70f0c8e123b56934edc755

SHA256
1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a

SHA512
daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE

Filesize
2.5MB

MD5
73feeab1c303db39cbe35672ae049911

SHA1
c14ce70e1b3530811a8c363d246eb43fc77b656c

SHA256
88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8

SHA512
73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE

Filesize
3.2MB

MD5
93f3ed21ad49fd54f249d0d536981a88

SHA1
ffca7f3846e538be9c6da1e871724dd935755542

SHA256
5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc

SHA512
7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx

Filesize
152KB

MD5
66551c972574f86087032467aa6febb4

SHA1
5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9

SHA256
9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b

SHA512
35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg

Filesize
50KB

MD5
e8f52918072e96bb5f4c573dbb76d74f

SHA1
ba0a89ed469de5e36bd4576591ee94db2c7f8909

SHA256
473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82

SHA512
d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg

Filesize
45KB

MD5
108fd5475c19f16c28068f67fc80f305

SHA1
4e1980ba338133a6fadd5fda4ffe6d4e8a039033

SHA256
03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b

SHA512
98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX

Filesize
1.0MB

MD5
12c2755d14b2e51a4bb5cbdfc22ecb11

SHA1
33f0f5962dbe0e518fe101fa985158d760f01df1

SHA256
3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf

SHA512
4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
140B

MD5
a8ed45f8bfdc5303b7b52ae2cce03a14

SHA1
fb9bee69ef99797ac15ba4d8a57988754f2c0c6b

SHA256
375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b

SHA512
37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
129B

MD5
0dd98657e0a02edf45a6cf2cff5b4ae0

SHA1
c695c8d7a7e4cebff7073226f31331e984755210

SHA256
5c732cd7227910028cfd0f57a9fab2c7d96c389e819f90ccb729825ef9e3efbd

SHA512
1168235b6c31c0cd60461575ab24c0b3f8cbab090d6fc66b5674fa0b3a612a86a86b3b9996812a8aa47b8f57d707b32794cbe03b7b076cbf2de0e564d594ce7a

Download Submit
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx

Filesize
76KB

MD5
32ff40a65ab92beb59102b5eaa083907

SHA1
af2824feb55fb10ec14ebd604809a0d424d49442

SHA256
07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42

SHA512
2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat

Filesize
279B

MD5
4877f2ce2833f1356ae3b534fce1b5e3

SHA1
7365c9ef5997324b73b1ff0ea67375a328a9646a

SHA256
8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff

SHA512
dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX

Filesize
472KB

MD5
ce9216b52ded7e6fc63a50584b55a9b3

SHA1
27bb8882b228725e2a3793b4b4da3e154d6bb2ea

SHA256
8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13

SHA512
444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX

Filesize
320KB

MD5
97ffaf46f04982c4bdb8464397ba2a23

SHA1
f32e89d9651fd6e3af4844fd7616a7f263dc5510

SHA256
5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1

SHA512
8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002

Download Submit
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe

Filesize
65KB

MD5
578bebe744818e3a66c506610b99d6c3

SHA1
af2bc75a6037a4581979d89431bd3f7c0f0f1b1f

SHA256
465839938f2baec7d66dbc3f2352f6032825618a18c9c0f9333d13af6af39f71

SHA512
d24fcd2f3e618380cf25b2fd905f4e04c8152ee41aeee58d21abfc4af2c6a5d122f12b99ef325e1e82b2871e4e8f50715cc1fc2efcf6c4f32a3436c32727cd36

Download Submit
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx

Filesize
320KB

MD5
48c35ed0a09855b29d43f11485f8423b

SHA1
46716282cc5e0f66cb96057e165fa4d8d60fbae2

SHA256
7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008

SHA512
779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99

Download Submit
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx

Filesize
288KB

MD5
7303efb737685169328287a7e9449ab7

SHA1
47bfe724a9f71d40b5e56811ec2c688c944f3ce7

SHA256
596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be

SHA512
e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
91abe7396fba6d2476e94b33043c617d

SHA1
1e0ca7368e2c831f755d2d19ebb71680c882eb77

SHA256
94950e8aaa711e32110c131c9fbd97786e94748d6a5bc417f3b8ce15456534a0

SHA512
ec93763463a6c56d6a737d7494e26d152756de0ce91337fd47f406856fa6667ab34aa3cde62becb309289168d473e1b034413753b0aba7689c6e42dfdced3e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f3216d8472757e8a5eb2638b0dfb7c18

SHA1
dd194ccd4fb0253177eac4715b3a0e9e5ac67f24

SHA256
da1c9dac55d93c513acfca7a23a86fc10175e616d0ad8f9981461135ae34fdf7

SHA512
bea32177fc3a3ea76edfdd077a5505b88135e7032f66c6b8d00f433e0bc945740d441bc3607c5c945c6a93fb66ac0e9dc9a0c35c3a4e00ec0d7cadbe42a40d14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d388a6a0307ab6878597d0cd421f6855

SHA1
ad57715fdc6a995e63e9e846cb67eca25f3214fb

SHA256
3d04febeb21d7263946621c41f3b80321b82a1dc8f7d63e58bf16e2539d77768

SHA512
c05b08440c82a39f5ceca53a9ead848a9fa6947f14261e96d7070d09dbb637478fb90b23d6c7c299939dd8fe10ec36a84ab20e71971256be0cb099808a57dd37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1d43a9130fd91dddfde29197cc382c66

SHA1
ed03640dd03c359f2a9fa1504bcdd92b5c849685

SHA256
f5d4b252d61a7c07f312bafeaabbbd0f46b3b43bc9ff4c2ba943676a28e8cad8

SHA512
f74cef07af1604397378ae5924fed18dfc32b2f0f3dab0fc97ac697e45b236ef71bc0a9a4cfa6dc4f0ef8839d434d058e72d8e376917f781f6c800e73d2fcf42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\716eef00-e77c-4a1b-97e7-5ceb893442a4.tmp

Filesize
4KB

MD5
f20e809f6d84917f5763ac3193ecc71c

SHA1
190a9983a1386973b843355688ccde96defc6c14

SHA256
bcdb9af989f982a2cba368c05f89c1fc3acdde1d6152cb36c832f7cb2f891327

SHA512
75002fadc5c56405998154343f1c0628bbbaa20f5bb1a89a2941cf1736090b12d404e451ffc2fef051dc2fb4c86d9257d0b63d28a717d75930d96aca5a7bf79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
43KB

MD5
23130a0e9655030e3489970b4382e32b

SHA1
6d096822d2fe0f902e3518bd997f9d9d222044c9

SHA256
bdf7e387b1076ddb95ac57de2e38d1bb329053c2720c0ec16476d0a0aed8c4c7

SHA512
63f8c625f8a486cf7b1975b39b5db28609e1d1f28c217146c0491fcb7cdc7d29857fa1b568c7ccee7007ad86361ee40a76e101ee2a769af0d77cbf580a3470b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
1.2MB

MD5
c6561471d93e5c1d01d94f8249886869

SHA1
29446bce8eef0ae01dffd11210b0891de665210b

SHA256
4895e986b1051309fdf92f4db6b4b6427a6f47fb9d1d65f3109209ff6e56b698

SHA512
679f78799d0c33563d25ae5ac61f1d12d381166ce2120e58c29707f9958041a12d45cc6da9e5e3d112be35360bc139717f5911dc8aa7be4c36b3e4e93b399a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
43KB

MD5
d9b427d32109a7367b92e57dae471874

SHA1
ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39

SHA256
9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3

SHA512
dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
27KB

MD5
509d1e75f9876ecde056faafef5ae620

SHA1
2581fa11587d73ef6f611557954518ebb7908bc5

SHA256
b3b355f7ae6902d546436864f69c20e50ef07a43477109c5bd2afd5f0f06e954

SHA512
ad16b96f2f91ffdc12e08c1b86612bd9019ba6ea4dd2e1a2c98f586eaf27efafbcd5ca6e238a0ba7fd89a065c3bccb88d756837089e624133b2b33e67521ce7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
18KB

MD5
129bea2406584d015231f9e044da5f4d

SHA1
267d947cfa549e6a41015d752dd76cbaea101513

SHA256
59b93e8a810a821a7b7a7f1e8b98e6c12719658504cfff2bd9dd520238d0d605

SHA512
129b657363b4eb76df30e89a8f31f90fe2e33edc88dbb9987d40a3c5c7a92fff02efab416f9100d018ef0c6407f28c23b18e42af60f037a95f58229dc6ff0697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
57d26a5ca1f869ca525649d45f305934

SHA1
4c426f2d3e247b9cd6b4ea5762c5255d0c181e4a

SHA256
93ac32039e3b4383e2da5a29625cb97da5fb5663bf199abb7823cc5e7941b109

SHA512
8d291430887ff34ade0e3607f7dea0e053f167c1b38c3323a0c781cc0ecfcdb6e6d581bc1651cc4e06363f58e0b39bd9de734339c0adb63d4b1ef40b4a700929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
5430505e70f99884cf10af248a4492a5

SHA1
ad27ab2f9192d195819b95a659f0b96b3f8c4b6a

SHA256
3352f9fc0aa938afecdd7a797af5ba053e9739be54388c33ebbcd929a2d95a90

SHA512
ad402912b091bd069b072535c40e9ec60251c25dbe02394f970487f2eaa97bfd0fdb279062836cc815b23b61e4b1e4e42826d408f9d8a68bc5d5d85f38e49b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b07bb474d0854f1549c4b471cecd7f67

SHA1
fa47175b1dbb76355a2c15427410e60a66e4e932

SHA256
834fb6c2e11e9ca5d90ae23c334a24547ec043d91995d043fd24437305279c6e

SHA512
6f695b254328264d9ed08131241baf65df97214f71e523a96a2e218325217510678b6b56b3b25b19876a3d19e8e664a5e653071dd191997e783e613ccc347eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5ba862375fc692127af688d835e4dd94

SHA1
a7d3932b704e76641f14f18b690770cb39f92228

SHA256
db3b2323cb84eb6801727cbbc30e1d1bbd42446780b8128bf153729d4c820a74

SHA512
9dc5fe031215fc25902349be802859c5cc0324498402ee427e00fdf8373fe9cb468bd4c4e68d71526ffbe02ffdded456cbf87273ff3fe379777ca13d1e364817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ac3f87d770cb2ffd6851219fa0562ea3

SHA1
764eb53ab46c0ab5279dabaef122b879993c8cba

SHA256
2d11b5dcbf39289bba262c3fc725d9c5a51e12653f6a8a8038c5b87a64f09969

SHA512
8f35a1d29686928b795bbfbb344a46c0c742866fd80a307ca8329b2abe5fa07296249379c7afc97bb2f8eda23deda79665a27548b1d1fb7385fc340867eef916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5e3b4afbbaf40582fc92f85044e4d54e

SHA1
1e9a093461afb072b939d388dcc1ccbe80b83b33

SHA256
3fe40c2a5d744096b3b63f58967cd210a40ebda4191b88126cf30211f8ef38aa

SHA512
beb7a60d85e04be7eb94f52b11e79db4f6b36ca9e0dfc21fb2b0111c13c69e053bbead474b9ab598bf96d75a8f12446aaf8ff7053194592f70bd00829cefcfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3dcdefed8ec2b5355d2a7361a81a580e

SHA1
40c1d56d26eb413bf7abfee74830009c743facf6

SHA256
268e03bef6bd0c0b2c24baee450dcfb1e9729c81c1452c5c29a0f09b751c0e63

SHA512
90b4d7477b96c70a70af37fc8b0b6822fa717fe2fb1cb75d8205c4d5b095d53ad81e1dd84cb909cba84259b8ea632a610d4ec7f88f9c5792eb233ad58b299257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c7881a4e74b3b0cb0f3f10d19f9a196e

SHA1
8d1fb36fd9fb533d55333fe9d304a5a5d3e8f7be

SHA256
637db728cdda566fc0f25d0c35ca3dbf0037bea75bb8db477a4b28b295cf6ab8

SHA512
39cbec82030acbf7550a057cc93bd6a15ea3080cc6d20fc23a90bc4bae3dd727203020970f4e78a4121016012db4530ad732f54f5ae924e7332a7e7c6c95470d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6fc0e830f772cadbccd3fc5044e9f937

SHA1
37ad11c04e252b6a590cdef7bea9bc106a1b07b7

SHA256
d6f0053786e6f49c4dcaa60f827117eb08180d6f96f314f9b177f4afbff28a8a

SHA512
b350732f8b2c44f148a5273bdf3cb7dc4d4021071e30cb2dfd16df1951a134fa509307f75a80880d7222ffa321073b21596bc37b5ac5fc8abf37aec759ed0b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
045123bac709e07c3a7251f9468c7601

SHA1
4ec77c695658a1542ff38bff26a41a3d2db7d7a2

SHA256
afa58bf1aae785e9093d723246b8d118908c3a5ea2437721af6fccebed46e2ca

SHA512
6834d9c2d2b25264630a46511676934565743e4fe49d2d8231209437270c891e109d4743d283bc9d57b7001417c8f121ebdd11f5a4b621148561b1794557ba50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e0d4b3979608e88c56b95ca2755fdf5f

SHA1
e6a6de35ab402a254805294aa12b8bcbe6765496

SHA256
17a6e0f56c988e5479d228d3d9c5f8135d3913db7665a1edff58282f74bd2b13

SHA512
5e258e66317366d34901ececf06a9ddee27cd6a1b5f302df87b31a7343dec767e8d9f9cf30ed4297b1bfe150b1f649d37b4fd17bd1020872ae4e828604478a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
872f6302590a5feab6e14590b18d7d39

SHA1
35324099e278ab216f982f3abfc9563925d7eb42

SHA256
dafda09f9bb4819a2e97e98fc077647f950e0d25e545e154bae52288daf2ead1

SHA512
125b5c46f8f41a13abca964886a5dfdfeb26ef89dadfc9411ed065f1214c848c2917625bce8d35a976597ea97ff3d0d636d16c37c8f991b16a2f5c737a3eb1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7cff478c4917b35c4d1990621b8ad2cb

SHA1
55803fa1ebb8ab1c3b9f31a97d58ecb23f116002

SHA256
d6fc592c635fddf6428e81120ff5f3afacebb7df7aefd8b786820d0f1fa3a132

SHA512
12e46f27b9f7d2b3b2609b3658b7e868bd5647635e0eb3f7fcf9335df3e3bd14d77412bbf1bf766b42a4340d0cc0ba80e3b5e30a3598ac3316613e0e5a781dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5ebfc8c300c8ab509dac00467207b809

SHA1
2f2c0c2299fac924b29e5d14ffc2880d30ef5d00

SHA256
c95d9be3b4d0e1aefb1ded4299159c70877ba87da3fa69520c0d20502f657ca7

SHA512
a53996c233ab5d31a4c50356598e9b5c9adccd4021354caa77f20c525af567a6840dd384a0bfe0d6637ce063faaf949fb4d036671888c97bdd90166d301eae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
9cba25926a31f2e12e405397bec30eaa

SHA1
8043f7ee34718810402bff02c00c7245c5f65793

SHA256
e2cb0faa18e992d03e0d0cf9a0b720e1d2bb934e39f73ff29022802ecf1a6013

SHA512
1bc0efd9a998bff8063eaff77c2104cc7eeebe7b9c1c35fe98c9ec1ed91691f8bd1bc1f5ead03b426851e01102940e1397d5615a69a3205510173c4113554282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3db27474c2cfbef70dadc39b3e453864

SHA1
74bd5cbbaf7044efab8ec5dcc4639dafe32dba6a

SHA256
0c825a3de76424c8becfe753abc3f973ad9ef616303eea135eaf5619e9a65436

SHA512
a40fbd2bcaf7397a869db9ec7ad2363ad1681de86d805e3c0f2cc64e895195d2beb494e2b8cd1198c74c05ab97ec473c5029f7084f24be2682f93fe110bf80db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bcafd3e0af1fc4d30420cd2318f1ef33

SHA1
996595b294b59be775853e645e180749efd5c8b0

SHA256
41d6d2996baf5fcec89d88c6c646f8bd942c3787dd28b5dbb1146e2ea35b228a

SHA512
4ed684b6386ab0d40fb2ef1ebad594cb929a2d58fabda83a210f8419e83316407f36661e1ee9bfa15d1045cfd09aeca8f7a4422fea55557d462f3d89fa5b3cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
811b2cc76055b0d984b755a8ea32f7f0

SHA1
d6778749f5d3e58aada4a5b4bb790c8cf76aea81

SHA256
59ead458ba7cc89d2a5eb5ff82b25c22bdf3f121dcc03e14e6d3f05c9837f624

SHA512
ccb617688cd87469ab05f5c02ae73f7b46ce5b3e68dd9e9db7610cbcaecf6b1006787652e7a388369a0b8b1022447d882e6451378c522cf0715a8db7ebef3f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
90bbff05097e83c1c225a9c9ee8905a8

SHA1
7f8274149b4f48aedb496588097230d39347a9e8

SHA256
c90be2e30c2a4802044d5c0df12fd08d3cf627858e4c818134e8c37d0141fdf4

SHA512
96dd2031c7536a3ee7276c6dd9eb0cbd3a5d77d15d0997b3fb701cebd2650d139d291b608fe635cc318f11c38560aa07d39bc64973b1aa6d30cee3fee8ec4ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
5ac0ef4f56cedbef5df812ca4ebb9b9b

SHA1
ddf95386b15d91cb4be3f8e6cb02578966637815

SHA256
54218460b0a54d397dfaeab36a6459ac420e14fb592e0ac370e001261588327b

SHA512
aaf36c578752f35f134f418616b14ca638aee047d694b99abf80d88bb327432aedfe6861552de4522708cb44e04a9c635bb7f36c84fd51620555d111c7a37a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
479cb781ba852a63aed3479f5ff8aeec

SHA1
3b7b96b3d9a3df27e869baaa5820d10a59b9fd72

SHA256
d986382bc989a9a60b555be1119d498c0b94c99098da9acdc94a9db103205d16

SHA512
a977e5d011d36be5a0dcc71609bb0625876bd7d01e751301513a551ce98cf3304edfbba9ee05d953584cf2935195ad1ce91d0e52e7dca4808ab8a496489fef23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8354daa89d3af6ce917ae1ff397fec39

SHA1
3f33eb3be037d4d5321c5ba5d870d7ea7b503981

SHA256
534c0e9845de29a20335320f0e1c7c5c64a431312d2d591ab5f1d9128af7236f

SHA512
fbcebd534ddb81fa94bfef980445d7b6222f60d21878a46e5350f3d1807f771919075343e7f383c7c8792e00fa1fed65453d28dcb748a5cb66267bbc58269676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d5f86ed892849093ec8daf7e8c8fec83

SHA1
b3cbc628dc02617b0a891eddae05191de985480b

SHA256
6773d749382442aa4066f5a76908371e2f4573676fd01d4dd7aa0e0b260ad698

SHA512
d07f4c0dc01be64282dc0fcce20f3a856964595d7b4c1ce2f4c8b7d15596f0b062f2e260a5e2077434fc81b13f9bc8e3d01a3f8f7477ecd03b2af51cc0180c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
17a13cede38ad424e9c606921a650107

SHA1
55e0897e7139dd7e9e3b7304d7ff969620864267

SHA256
40cc1acc513ff2393e439ea48524291f88f088825d7251e5e222074d41f1e0a8

SHA512
80a502bbb90fde6906c7e75a71cec06fd4ca0e3cbcd45471e6943a9a093b1b5a140c8299f9af90f2b892eb884a8e0b83c369a38a3324b92c6887bec7d4448a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
989dc9d3934ded02db4f1c516fb58d0d

SHA1
08a41394582da05e4c564c730e71349c76afdae2

SHA256
2b25a0d3450666cc8fddc657e9a47575c51ffb3f8ce069d15b39632484031d5d

SHA512
708adfdced8b2fd342bf222f7dcff2ccd0aaf722adc735a27dd6f0deabf42477b994e0cfabbf12ddcd7f68e42fe28c809729ecf47d84e964021a07d0fce7e85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7839607c5c04d817b96f709df958624d

SHA1
e865776eeb943e28f5edc4091ed40ca45e4dbfb9

SHA256
bfc95df35ae04f92c69f4f1b7a572aef5f5d120d7034de45346e60ffe56e7d8e

SHA512
a43c0b545452edb71eb67bd1a03eccb26343499654fd257f43d266f3ddb79efa9f2cd638651190c1ebffc62d6bc3f3de47a64a288ef11daae76eb853a97c723d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
88fc6aeab9740e456065abbe4655deee

SHA1
59eef10785b32f823e87d59eec82cfd433c97a60

SHA256
f06c957f9119b4f614288fbc3fce55a857da85224d25c4505d12916fc223c022

SHA512
27847b069206fe406c94d275a437d4154ac8ea2887b6f1b61d63ed1500122a807c62fced9d5ee580776781289a3b63d60334b43a72335fcbb343963029fb7f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
6be523f985e56c4b8884fe1033cc028b

SHA1
589c8f46645ea738e59fbca116ba4acbb97adfcd

SHA256
2147931ba0d4d93102df325550ad68d31d1370220e512c3ce05b516bd061a0e3

SHA512
9f2ad6a460a5e970548a1ba5a5bc4a7131097de6ccddb0edd8056ce220dcab83d4de88a8ee61b21236def1393ca10e521b4d469a6af86755938232256129c383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4de9ddeff2a1936458a623c1680806ee

SHA1
5f3d9f27a919e9f567bf110697082318b616e59a

SHA256
d0d46020c5274d759f29f4acd91472261da72ab082fb0883e3589417f0e9fee6

SHA512
a26f69a97b76d47cbf7c937f3ff1018602fca8773a590ac8e31f2f2152b6553144e6e8ff65ff7aec957c348c6bba5cb886708f3d31d094a8559f4d2cc2e5bd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
bf5316b47379c4ee7a670b148adcd23e

SHA1
0a348544cdf127cc2dd002c1cef58ca583e93f6b

SHA256
a9f47b51573f90f88f3112fe30940e3d89427a8b2d713ce845686acadfbcdfc4

SHA512
7896318085f00bba1530d851c4deadf91242f714451a76bf44815086a12279980e8ca782ed002e9a43a1e8215043ba47540f995142156197a6e596722c554c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
8b3c69227fd6ea9bfb9d1e7c410c257c

SHA1
0646bf4cf404135890ef730191e7c5cf003eee53

SHA256
0af988e01ce6fb5e0b74830d21deb5fc5d72a52c10f348311f54353fe566ba78

SHA512
a09c847b86ab07c8ffba5d317dc3a824a92706ea26a798b41780e0735e05901d7ca5ad3097a27cd9309d7ce270427ec35c64a2477b899a6cc0e3214fce9f1a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6f7d7697638ac339d478cd6f0d5a1f90

SHA1
b92762fd22aa1aae6ee6e4bbcfb4afaafe123bd8

SHA256
ace628398ce45fce62d0051f546b5206ffc7f3aa94a95c5f540b3ab401afeded

SHA512
618d4e95ddcc635990f582da1841e12affcc475f38e31b0ad5676717fe49ed65f7b20712718f82667913e337f0c352f50c7231e7dfb94ab89c54c076d84d768a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
cc2dd92f6f408eca1a9dea98df3303d1

SHA1
0d74a57576c5feb33c1529058a310c61e026e855

SHA256
efa9b4b576d2c895c782d4816d690b375dc90c04cbbab9ee86eff65aabc7d35f

SHA512
395ca003fcaa047453d3e1ff52e2dd19eb7f7088624ca282a476ab6fbd608b19e627a6a3cd2271b01a093f14ef17a6c40959daf473d25ef92148759e4c216dae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4aa56aba5cd49524d14bd3777789b947

SHA1
0d7a989cec5f51d902423dfe9d4dc784d354dc96

SHA256
74a1f0dfd7d210a7889cfdfe1044ae83ebe768b7de5ea930926f361c2320a66b

SHA512
2ca82f10073b7466d9ac06c39f947baef0f60649ec30e43e28b185546b01b660ba2ca1d82da30a1e61f25ed4ab0fb88fc12625ec3ec1a69d4cb93bf7fe6e6680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582d83.TMP

Filesize
2KB

MD5
d0ec9517ef67921880adbce5ec4c92e5

SHA1
af62dc7fd570343b9c240db8993a9630647cec46

SHA256
5ab1b00986379bdfe84b4b346f88e469be8819d0b3d04c2af31eff978f73561c

SHA512
d03edbdb2c3ff736c0ef83bd33722d3de6427236349ecd8cf030fa592d11e58d4ef06f11f12b9a6ec073fdb467c6bb270eb0cce324ef743c5bc85a15b3019ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a803476071a11bab3ae61a373d3ba31c

SHA1
8394b5a102cccaa8ca9914f9f0156c92e1007adf

SHA256
cc94b9733b3325b1dcba0138ed84ce16b523259331238839659794c1ada8a782

SHA512
07cfdff6578e9951f475020b95c9076214e11a7544da2e0a5b480439c9035d785bed8a0a9db00ecc623faea8494b361c1b782ee29d17e06cc8ca47187b1f626b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca48f79c44380dcf8f2c39f4fde7a603

SHA1
201a94a91024fa3040bd36b330f04ee1e5b0e5fd

SHA256
5469d1d02a6f6e3f5518162060205e34d9cafa1adee3f72c7206ea431c8317ad

SHA512
68f9b6fcdd201f5740fa5a260d7476b269f9dfd390b21c782e59a2989529f7aafef81c50b39879eb4f4d43c18325f84168b56016618a6398b569906619277e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4fcf89301f102f2a0ec5b96cd262d0e5

SHA1
f44f41c99507bbd613595e374ebf2cfac47ce37c

SHA256
7f003f82d3047b496f8f6201ef08fd9637c61652752b8f9b3f2c18f21a27d9d6

SHA512
886e4b8dc4470676384c32f5444d498f3ce1e58a969aada0196110bf6aa3defd73a09b6cd1a55a030a6552adbb925d6178804a57dd52af4f9cee1a9a53b2525d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d23e03fe04eeaa3fde2e1bdfa05a2a93

SHA1
b15742198f38cdb8ba980a55d45930dfdf67597f

SHA256
56cb2c7e1d6d4d4c76a0bf73081c09860932f63b23bb063acbb2224782592dcb

SHA512
2b81b105cc6a1605b7cdde1210867b1c0ed63cd0a67c49ac2b74393247bace87cad5c2e37d9c28e3fef3b48760929d45501644b413fc8518a060c5b89e48afe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2c5b5a54cc4da52edf6e8a8b43a0adef

SHA1
d7a7b00ee8b14e79ae2241d897775265a207f217

SHA256
74bf03f4b65749d9f823e232bbf006b516aec457b44902255ab4f2a94de976eb

SHA512
e9bcdb48020ba6de296c857605b67eca2ee5259cabd2152c669652369dd390fb007c7026d817f856cbe607c8ac87de3d5c7fa4264eb80a3234f96f5bd4718d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a7353c1f4f6e8cdba16c3ab64173fab8

SHA1
ada85ffcd5af75965c651c7ad89a3a5e11e4ea21

SHA256
5c2cfaf2cc00c6bac5d04c431d400347f7f90f015a5fa54ba39f53304738bfe9

SHA512
c3b7e29f34f78a10527fc54a9d0f0175c7b70cdaf1a7ba21402d4eada76e0bcb8d841daa59e2ce3d4a04fd8972f492825972625f32aa939a45621742adf24bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
8e15b605349e149d4385675afff04ebf

SHA1
f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b

SHA256
803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee

SHA512
8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
596cb5d019dec2c57cda897287895614

SHA1
6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa

SHA256
e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff

SHA512
8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
7c8328586cdff4481b7f3d14659150ae

SHA1
b55ffa83c7d4323a08ea5fabf5e1c93666fead5c

SHA256
5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc

SHA512
aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
4f398982d0c53a7b4d12ae83d5955cce

SHA1
09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc

SHA256
fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2

SHA512
73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
94e0d650dcf3be9ab9ea5f8554bdcb9d

SHA1
21e38207f5dee33152e3a61e64b88d3c5066bf49

SHA256
026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e

SHA512
039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
1.8MB

MD5
b3b7f6b0fb38fc4aa08f0559e42305a2

SHA1
a66542f84ece3b2481c43cd4c08484dc32688eaf

SHA256
7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b

SHA512
0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
91f607b688c14c8c3ef5d080677376b5

SHA1
f572ce34e62e90b12dea5fab42560beddcdcf557

SHA256
0ef49d9df6813751f8eba6701028d1a064facc30619a77ea7d1820bbda2dbad6

SHA512
d23966b458dbd32b0d10c2838845b15bcccb870977c17fd96c67c6a77184e726908e1fce02404128f4406cb806d6996df7a71559f362372a00750a5658f65eb3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
aae3cb964245358768d0c1ee06801091

SHA1
5f3aecd5b4be691ed301192113a3a81f2c861546

SHA256
35a7b4bc21734d8151900137cb34f4f2b7dabe3c86c567cbaf02b3b6da7b8034

SHA512
17f1f29456815e2d6e0e13c58dc33965a817d18eda37906da389cf380cf81a5fed88d30da13e84b9b34f3ee626bbde10cd9b2d5c6f0097d96772057d22924492

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
4dd4a5cd8ed831026253fb789f033a9d

SHA1
e0cf1cbe94f8b6f059a3b25d15ea74956a1cbc96

SHA256
45ed7353ed2f84033209961bdaf551d17e6d401ac2b44c8c015779e273bf1023

SHA512
dc3bd5edc1cde7e7e0f1d11c4228b58953f8d41d88752ce4eb4cc778408aee3b25ebea8c6604138f308323612a6933dfade2c81408a6450c518ee79715f65d99

Download Submit
C:\Users\Admin\Downloads\243691726952295.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 401101.crdownload

Filesize
49.9MB

MD5
06d87d4c89c76cb1bcb2f5a5fc4097d1

SHA1
657248f78abfa9015b77c431f2fd8797481478fd

SHA256
f1e859d99072e35f20e172d8458e3ea1baf8ba86c8c9e311a0debcd2acd5d0fc

SHA512
12bcc681544bfc0cb5f1a3c2e5e3d475efdf5abb8bf0e18cb18f529a82d551f39e16de2d3f0664c2c2cbfab2bc4702e256b958acadca53424e6d8760b6f457f9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 467998.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
ea44972c27173f37e290b71ef784b7f5

SHA1
0d9e4c8b6cb85038a6ec844b67266623b7979fda

SHA256
8f17e3154de640790fb7cef593ad5078cf5bde63b7da75d6e0254db60c5ef3ff

SHA512
3f04dfc224c3a5285fb045a77c8c7f49d3832f65dc3d61173595ce2228cfcb42e1d165e61f862736b4603942467c9e8c616b8f13d81c05ab99f2bc6b35ca02af

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\salinewin.zip

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Windows\msagent\chars\Bonzi.acs

Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\chars\Peedy.acs

Filesize
4.0MB

MD5
49654a47fadfd39414ddc654da7e3879

SHA1
9248c10cef8b54a1d8665dfc6067253b507b73ad

SHA256
b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5

SHA512
fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f

Download Submit
memory/2816-3397-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-3761-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2816-2711-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4600-1244-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download