Malware Analysis Report

2024-12-07 14:53

Sample ID 241009-wv6pwa1cqp
Target https://www.gimkit.com/me
Tags
wannacry defense_evasion discovery evasion execution exploit impact persistence ransomware spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.gimkit.com/me was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion discovery evasion execution exploit impact persistence ransomware spyware stealer trojan worm

Wannacry

UAC bypass

Modifies WinLogon for persistence

Deletes shadow copies

Disables RegEdit via registry modification

Downloads MZ/PE file

Disables Task Manager via registry modification

Possible privilege escalation attempt

Drops startup file

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Modifies registry key

Views/modifies file attributes

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

System policy modification

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 18:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 18:15

Reported

2024-10-09 18:28

Platform

win10v2004-20241007-en

Max time kernel

752s

Max time network

754s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.gimkit.com/me

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6E89.tmp C:\Users\Admin\Downloads\WannaCry.EXE N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6EA0.tmp C:\Users\Admin\Downloads\WannaCry.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.EXE N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muueckti936 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\WannaCry.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\@[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\wlp.tmp" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\rcur.cur C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\ui65.exe C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\logonuiOWR.exe C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
File created C:\Windows\rescache\_merged\2229298842\2338367480.pri C:\Windows\system32\LogonUI.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
File opened for modification C:\windows\winbase_base_procid_none\secureloc0x65\WinRapistI386.vbs C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\MrsMajor3.0_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\Crosshair = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\IBeam = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\No = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 18083.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 910102.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 440758.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 2496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 3220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 1844 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4236 wrote to memory of 4952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.gimkit.com/me

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bd3d46f8,0x7ff8bd3d4708,0x7ff8bd3d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6216 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4bc 0x2f4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3528 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:8

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 190641728498266.bat

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\Downloads\@[email protected]

@[email protected] vs

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

TaskData\Tor\taskhsvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\WannaCry.EXE

"C:\Users\Admin\Downloads\WannaCry.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "muueckti936" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "muueckti936" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8288 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7308 /prefetch:8

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4bc 0x2f4

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=4756 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,18141172244034908136,2181426297892469072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\MrsMajor3.0_2.exe

"C:\Users\Admin\Downloads\MrsMajor3.0_2.exe"

C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe

"C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe"

C:\windows\system32\takeown.exe

"C:\windows\system32\takeown.exe" /f C:\

C:\windows\system32\icacls.exe

"C:\windows\system32\icacls.exe" C:\ /granted "Admin":F

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3859055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gimkit.com udp
US 54.91.6.89:443 www.gimkit.com tcp
US 54.91.6.89:443 www.gimkit.com tcp
US 54.91.6.89:443 www.gimkit.com tcp
US 54.91.6.89:443 www.gimkit.com tcp
US 8.8.8.8:53 pro.fontawesome.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.18.40.68:443 pro.fontawesome.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 89.6.91.54.in-addr.arpa udp
US 54.91.6.89:443 www.gimkit.com tcp
US 54.91.6.89:443 www.gimkit.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 68.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.187.250.142.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 216.239.32.36:443 region1.google-analytics.com udp
GB 2.18.66.83:443 www.bing.com tcp
US 8.8.8.8:53 83.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 2.18.66.163:443 th.bing.com tcp
GB 2.18.66.73:443 r.bing.com tcp
GB 2.18.66.73:443 r.bing.com tcp
GB 2.18.66.163:443 th.bing.com tcp
US 8.8.8.8:53 163.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.117.143:443 aefd.nelreports.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 143.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.117.143:443 aefd.nelreports.net udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.117.143:443 aefd.nelreports.net udp
US 8.8.8.8:53 api.github.com udp
GB 2.18.66.64:443 www.bing.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 64.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 2.18.66.59:443 r.bing.com tcp
GB 2.18.66.59:443 r.bing.com tcp
GB 104.86.110.129:443 th.bing.com tcp
GB 104.86.110.129:443 th.bing.com tcp
US 8.8.8.8:53 59.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 129.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.githubassets.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.22:443 collector.github.com tcp
US 8.8.8.8:53 22.114.82.140.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:53959 tcp
NL 178.62.199.226:443 tcp
NL 194.109.206.212:443 tcp
FR 212.47.240.10:443 tcp
HU 91.219.237.244:443 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 244.237.219.91.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.19.117.148:443 aefd.nelreports.net udp
US 8.8.8.8:53 148.117.19.2.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
GB 2.18.66.42:443 r.bing.com tcp
US 8.8.8.8:53 42.66.18.2.in-addr.arpa udp
GB 2.18.66.42:443 r.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
N/A 127.0.0.1:9050 tcp
GB 2.18.66.42:443 r.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 154.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 github.com udp
N/A 127.0.0.1:9050 tcp
US 199.193.115.2:443 tcp
US 8.8.8.8:53 2.115.193.199.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

\??\pipe\LOCAL\crashpad_4236_AVVNRONSIRXLRZFA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e12293d2e937eff6d6c372c00c23942b
SHA1 225049f0d5e959d4cab169c63912c6269dd55025
SHA256 afaf04368a0fec1a0bb3d456990547f631038ed3c15915de5063e05bbc2111b0
SHA512 19138e1ee60d45f4202632c3b00d5b3d32972da9815ced90f57b94f89c8d55d66eebb739ba08395f5915d9367b0349727987e158983dc6809101569c4b8b6b08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 994aef0794122012fb79202e8f4d4fd9
SHA1 8d20b5b0e6d0e44f40082520f91f9c71d3913b8c
SHA256 bb12832efa7b35b38e65fc6a7df405c3cdb4f0c70aed6cf9837ae7d52662ae83
SHA512 0a68b6e23e6e0a6a382b3cebf558b92ad3d820f0aeedab7bd430eb4ab23772d9fe8a3ce2a171b0e295ead5ccc18ba0aa3a09dc5fd588d82fc3a5108d454458b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1255c96a4bbfed67501f257cd739daf0
SHA1 21cca81ec5b68fcd9c6f602672debd4d33452a01
SHA256 00b9ca9487ccfc2bce4948ddac0c9374e40fb25eec86ee984400b39cadc0d5cd
SHA512 5bd6489131a9d89cde25013581a07fcab22ab8e068fa05546faef884ab4653b78de2fbde9c18bd0c370ed5b3e94ba5162aff1f4443822e31576ffb5bf1c0ab7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea02.TMP

MD5 ef15c753a47facf8d66f571894f98481
SHA1 24e0a477ff3fefd4dd870b997218a4cce4616663
SHA256 f12926624305f71d9c35c1a12fbdfe4ce619ec7021374100abd92afa99df1c28
SHA512 de283a5b3e38507ac7945c9564a7cce18b5936fa8724e2f11f27acc3b2f42de89e7992379efa9099170e84c77bb17e5de3bb9d67b551e75bf7cd6ad043098b29

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cfef4a620f8edd1118e45fbf94cf32fe
SHA1 b7b5e7a96f6ca80886894f5f0201c541f370eb27
SHA256 eca26d7b58075df7b6f4f97a5d1586825fe0289ab9c3e35ba14b510ea0138e23
SHA512 cd0ed2160499a57d07096cf45795a0879c7605cf0e0f5e0c28c67924ac27f85de93f4a23cb6d619a3f99bf9dca995f20e590d34644c232cab65860834d0c65ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 222c19282ccd1076f967545266c333e0
SHA1 6d74f4d7d48041496365d8de7adbda22b0f39a3b
SHA256 f456bd2f3dbaac6c0fae19d22a4e92a7ff3b99307de2d2ffa48564962d5fd2be
SHA512 4372bf1c9a34025b8cba1bd1aab50007467faf425f20342a71f64be75b4156ee96226154a7d308bf87133794f771d0322732e755c669f64b647b0483aac56a99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5e4d00640b4b387be0259456c17084c1
SHA1 586736c2f96120e2823a4750c508401c16d00635
SHA256 4c0871e477243c7615973e435ce00d74f2df74358daccf47b671e566dcf5e0ca
SHA512 72fb39b07ed919334c643a3b45ecabeab449f36f3fc43aebb9b4d11a6cf60bad661692a71b4d229bb41f7098d55b16eedaaf30ed0b41e32816c97d9125ba4fc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ebeafe163c29335324172f62a8ab0ea7
SHA1 f4db948c1b13d4738b6b4f7f699e68bb906481d6
SHA256 1c83bedceb75ae9cc2459c59a2009d290a343766d69bbb172155b1adc6bd7989
SHA512 fd05c853733de8579487e154333741fd4c3e8cabe32c79f1ed180a3060b1e096504ef6aeab8164f85a38ed41225b1543a517bd14aef78f45a7b68e475e35f9ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 450e13dfb27f561e95ce4dba65b73287
SHA1 8483814e73d8c48426248a86419f5662d1ca0b72
SHA256 9877ab8f6d898f031186c3032a9ae015953722faae0b1068724834e085f871b5
SHA512 ac5ce4241a486b784f89d8dc4d6c94c4123666208f6328743cc70f90a91245f7facd9a294a79a1f6c1d933fc12b6e6f5edea16344a56df3271403b0f60f44b33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4ffbc1ea0c5b90d8b7bcd0aea6bf49b4
SHA1 51a0b5dc26fcbe96f33721efd9faffeae2ca863e
SHA256 655677d1ef82f3198b511687c12af80b66006c6da6c3936d7fc9ec66b568d34e
SHA512 f8bb2c26de8833396f6c43465a6a92ef9533138d790d9e375e2c2458826ef93e9f70e06a945ac4474265592bf6b940a74a6b8ae3b4b3798e4cd0b83214155646

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4887c7a19b814684bef7ef013d4bd47f
SHA1 d1db955a3fde5b92cf01e75f7ea511fe101def89
SHA256 e0e1adcf4de1ca81eb811ddcbf1367bd395e37981c1bd878483afe4bf882b52a
SHA512 c66f7fe5f334303b6758ca297082f46ec0cc533f311c5d4a798a8ed25bc4a49d5805488c4ff798bd21af9ad3c57a37047728d1868eb9b55b7d92b79018dc658a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 779b988e342eda20ad0fcf280ddc6fad
SHA1 cc0943a98b9e435152f0b9b2af935d023fc26c85
SHA256 79284642b5219fa2915adb821b4c04f7a7fc891f3b6578d90d05a2982251a2df
SHA512 2333914cfa596d1f691c7b894435fe064d2d53f42e674803727571186b11e3fe31b82faf66cadc50cf79e8275440132aed29ea1253c2bd3f95b70a8da480f66a

C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

MD5 efe76bf09daba2c594d2bc173d9b5cf0
SHA1 ba5de52939cb809eae10fdbb7fac47095a9599a7
SHA256 707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
SHA512 4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 52e8cfede50a9a62381123406747e798
SHA1 cca60f6eb28aecee90e536c65aa381156f16aa19
SHA256 d42b5cfdfb54e5f2538e1ef8177da59f9e053e87a3a4f1e3a625139fa2650cf3
SHA512 5805d2fc050187f97accf951f7dc3bc6c6d1d7dc9b819a2f652972415a04851723f175174dda1cc64837796182100214e173e3f36ecf89c8de71601f7a507c9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7536ffb823f3bc8ebecba293f33caa5f
SHA1 7d9b519a46b973a4a50c4bf9e5c66eeb370a66b1
SHA256 be0ae1c3e67f206205ba22cf93fa3d9b2629848c319284405329581e98da8472
SHA512 a4eb2f60ddfe27c0ab02ea8cc2a5db073de8143327cfb828567a0bdeb8147d0a03a72ae6670c04c74aba1d2aacfcb4bb525123d40d5308cc76c56faa9be3dfc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 58d3eaed0ab20c04c34be1e20729bdb8
SHA1 d5a3329912ce6c7e31e6cf02ac4c0af436897a25
SHA256 fb2f53c04949674c7b22cf7b44651119ddc82865dbd088354a3ee8d5289c4c8f
SHA512 a0017f26f889d80b44e63aec46b0a6dc77522acb55a9760b56fbf2eea8e162d124d7ca3a3cf9d9935d64070fcfcbb84324707f955e987452e24b19bbfe3bac08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4bd02a31c04e8c40b3267a476f68ba48
SHA1 a78c11192e1b5f593c6a28e08ebf21585599f5d2
SHA256 cb45f3155a63c9100df57025aaface22b29dee6f718f2e00b930233cfe7e32eb
SHA512 9e948e82f9afb018c00403516e183990aa08887134e24cd966458031812cedfc8f22791bb49d7ebbf13bbb90287e65b8699983b5526a506d1a0b640bf9a28a54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a164081bf87cf34fd8fadf6486d5f158
SHA1 7c2b7fe14ea958a9b6075c107fe049b77a421f34
SHA256 5a0d157a2165db6194c0154e8471323e46b36e4b00099321901da6096dd5acf1
SHA512 64d9cec6c152d9717a6d075a7ef23ef79da85a990e081c7d2bdf56cb3a78fe0e601f46e7116fa5401b23a3efc5c2b7e08fe574d46f2fddeedf72e72229b1d879

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6fc0540e3d52d153eba439c342a68634
SHA1 dfb51db03e3d839fb06860edd5217cef735599c0
SHA256 c0ed051a76c3d290764aca5e52d4c40c287d69949a184f9cb7eeaae3d76c4582
SHA512 fa67412239dc8b9ee2e1e42eccef0d77866953dd3905b7036a125d23a9558723fe6a269561b18df011cc553823d40865507d9770b552c59e07668f93d655d0da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 478445ff58ebdbd0d181501a92cbd645
SHA1 4ea24b939846365864d92dcd314e48880e15f5f0
SHA256 182cafc0fab851aa2b3e3b8beac3ad3810ec11c0eb61c40560a892d6b67131b5
SHA512 69bff98546b193a20ff0145b37272508156d8123e9be586c8404ab85ef90ca3374b6a76d87a7fc78bf0010d009f09a632310d50e72795d8740c17ba93f977566

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1ec3a09dfe1ff9049b5856ff83a0bb1a
SHA1 d5a671f8fec09b2efa915c803f22dd8f724a0c96
SHA256 d222b4b8e4bbd36c52d34e5a039251eef2f57893f248c04d732b331cc94522cd
SHA512 2f9bd6183d59ed747bb32f7a7a95ead5f422a3982aa975ecbf32b999e406306346d2b7b5fe7617c0c3cd35353d3811d28baa0c6c14bbcfff049fe6144befa3f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 4308671e9d218f479c8810d2c04ea6c6
SHA1 dd3686818bc62f93c6ab0190ed611031f97fdfcf
SHA256 5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a
SHA512 5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 c3c0eb5e044497577bec91b5970f6d30
SHA1 d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256 eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA512 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 76a3f1e9a452564e0f8dce6c0ee111e8
SHA1 11c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512 a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 710d7637cc7e21b62fd3efe6aba1fd27
SHA1 8645d6b137064c7b38e10c736724e17787db6cf3
SHA256 c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA512 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 7eab02c9122098646914e18bd7324a42
SHA1 5e2044e849182f1d3c8bcf7aa91d413b970fc52f
SHA256 d58d66c51a1feb9af55ba4a2dcf2c339b7976dd011fbd5d071ca86b9d7f58a42
SHA512 dbb0f94de62d7d77d4bfe6c298043c559a0d4bc117bd7dc1d627caabffa8e712cec5e3adb4a737b350429493ac0ebfb81c8759aebed41b30218d0e7ff6f3196f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 54c5cfa21b9a69038a2f0c3631c289af
SHA1 a4abe737b3994842c63a4ccb9b61ee35900ed5d8
SHA256 06ae0f8e14703a48f12c136b395b58bc0a7e71b745d697851e041c2d1d901336
SHA512 4236bd5fabb880691e090e44c6847aaa206280d837e6572dbc9d23faf28fed5d914e9e8be3cdc4f3583fe6bcf85369a56aaa4a8744233af98baab96692f3d64c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 2e23d6e099f830cf0b14356b3c3443ce
SHA1 027db4ff48118566db039d6b5f574a8ac73002bc
SHA256 7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512 165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 4859fe9009aa573b872b59deb7b4b71a
SHA1 77c61cbe43af355b89e81ecc18567f32acf8e770
SHA256 902bb25ea8a4d552bc99dea857df6518eb54f14ffa694f2618300212a8ce0baa
SHA512 6f12570d2db894f08321fdb71b076f0a1abe2dba9dca6c2fbe5b1275de09d0a5e199992cc722d5fc28dad49082ee46ea32a5a4c9b62ad045d8c51f2b339348be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 a6f79c766b869e079daa91e038bff5c0
SHA1 45a9a1e2a7898ed47fc3a2dc1d674ca87980451b
SHA256 d27842b8823f69f4748bc26e91cf865eceb2a4ec60258cbca23899a9aef8c35a
SHA512 ed56aaa8229e56142ffa5eb926e4cfa87ac2a500bfa70b93001d55b08922800fe267208f6bd580a16aed7021a56b56ae70dae868c7376a77b08f1c3c23d14ab7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 fed3d674a2f247d846667fb6430e60a7
SHA1 5983d3f704afd0c03e7858da2888fcc94b4454fb
SHA256 001c91272600648126ab2fd51263117c17f14d1447a194b318394d8bb9b96c5d
SHA512 f2b9d820ac40a113d1ab3ed152dfed87322318cd38ba25eb5c5e71107df955b37448ab14a2779b29fce7ebd49cc0bbafbd505748786bc00cd47c3a138aefdddc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

MD5 a214ee4c8729f2e26a7225bbe67b3bb9
SHA1 5296f880ab69325a578e7ec793e75ee0851215a4
SHA256 bde9dc60456aa92499092be020668a84fc5a8ffab28cd98cbe8b5fb66bb089c0
SHA512 1343ffe9a0d1193c953143eec6d6a3b23c3e7d88aaf0acc124a9360b1cc1ae34c69070ee7eb6bdb9c2b7326e79c40888cde6067c8a6b9376f2a2911999f86175

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 cfff8fc00d16fc868cf319409948c243
SHA1 b7e2e2a6656c77a19d9819a7d782a981d9e16d44
SHA256 51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a
SHA512 9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 b6b2fb3562093661d9091ba03cd38b7b
SHA1 39f80671c735180266fa0845a4e4689b7d51e550
SHA256 530eb1f6d30ce52b11c3844741721eed669decc69060854ddb6666012c6e9e20
SHA512 7c3f88910bb87eb58078104290d0a6fc96bb34705974bf93e6dffd928160a9f28e34d879f015f0a05754f56aeacc462e27ba3f332e9dddd6e3879c5d97db5089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 76d82c7d8c864c474936304e74ce3f4c
SHA1 8447bf273d15b973b48937326a90c60baa2903bf
SHA256 3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8
SHA512 a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 1b6703b594119e2ef0f09a829876ae73
SHA1 d324911ee56f7b031f0375192e4124b0b450395e
SHA256 0a8d23eceec4035c56dcfea9505de12a3b222bac422d3de5c15148952fec38a0
SHA512 62b38dd0c1cfb92daffd30d2961994aef66decf55a5c286f2274b725e72e990fa05cae0494dc6ad1565e4fbc88a6ddd9685bd6bc4da9100763ef268305f3afe2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 ca39c956585ff3441ed99f219a95908e
SHA1 c17d8ac3a1fa156abb4d7d6f4799bbabc09966b1
SHA256 c23e03e141a70b1967f6d62a272ecbc588655211752e250f9173bebcc61127df
SHA512 57b5cbce513d2f1c698e4ca82cb9b2ba1c26d7b80f21e4efa77493d0053943bd5a8eaedc3dccb23192c0145dc411a99a86356777e95afa78ac616ce3f5189a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6bc6ca23f2832b8bbca8069ed416cf06
SHA1 75f00b7fc407b294fe46c206fa790638ebc5f8b0
SHA256 f73dad2df032a311686efb0348fd8a96e74d2249341114a86ed8f045584085aa
SHA512 a2de7f444fc4ae25376b8cca77104b4963cd046cb9ec9aef744c184d4699612f83764dfd7af53cefaf31ca0810e1cb098f51d860e3979d2a2d6e06e6151524db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4739c7ac888582f14c770640f8c2bae5
SHA1 4623ed4ca51d3bb7a1bda4c315ae79b025d19e3c
SHA256 800bb5966be54ffd74a3a143a3cc1f936a06dd0805407590d442dc001ceba380
SHA512 88ebc88b062e9ece2e39dd5d7fab5a6e18574f446bc1e22a2285da90dc72bf72fd43c1b759076670a95e31a6ac980c97669b2c0a8f2b0a3eda90329eb99f60ac

C:\Users\Admin\Downloads\Unconfirmed 18083.crdownload

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f656e000a1489eb5765dfb4664677a08
SHA1 191d82584e7ad19c56eb78472889543bfea95d0b
SHA256 ac386b100143368aea6b50555f15cf144d3d0d1d9519d1ff4946fefd216897d8
SHA512 07febcb62b92cb76505b698e6e82f7dfa91ca944f5bc0bff4f955a5ef6ce5f280c465feafc40d26d25143a9c2837221f37d8aa6eb18c1eb4a914c98ccd1628b1

C:\Users\Admin\Downloads\msg\m_english.wnry

MD5 fe68c2dc0d2419b38f44d83f2fcf232e
SHA1 6c6e49949957215aa2f3dfb72207d249adf36283
SHA256 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

C:\Users\Admin\Downloads\msg\m_italian.wnry

MD5 30a200f78498990095b36f574b6e8690
SHA1 c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA256 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512 c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

C:\Users\Admin\Downloads\msg\m_indonesian.wnry

MD5 3788f91c694dfc48e12417ce93356b0f
SHA1 eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA256 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512 b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

C:\Users\Admin\Downloads\msg\m_german.wnry

MD5 3d59bbb5553fe03a89f817819540f469
SHA1 26781d4b06ff704800b463d0f1fca3afd923a9fe
SHA256 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA512 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

C:\Users\Admin\Downloads\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\Downloads\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\Downloads\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

C:\Users\Admin\Downloads\msg\m_dutch.wnry

MD5 7a8d499407c6a647c03c4471a67eaad7
SHA1 d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA256 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

C:\Users\Admin\Downloads\msg\m_danish.wnry

MD5 2c5a3b81d5c4715b7bea01033367fcb5
SHA1 b548b45da8463e17199daafd34c23591f94e82cd
SHA256 a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

C:\Users\Admin\Downloads\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

C:\Users\Admin\Downloads\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

MD5 2efc3690d67cd073a9406a25005f7cea
SHA1 52c07f98870eabace6ec370b7eb562751e8067e9
SHA256 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA512 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\Downloads\msg\m_turkish.wnry

MD5 531ba6b1a5460fc9446946f91cc8c94b
SHA1 cc56978681bd546fd82d87926b5d9905c92a5803
SHA256 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512 ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

C:\Users\Admin\Downloads\c.wnry

MD5 8124a611153cd3aceb85a7ac58eaa25d
SHA1 c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA256 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512 b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

C:\Users\Admin\Downloads\r.wnry

MD5 3e0020fc529b1c2a061016dd2469ba96
SHA1 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA512 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

MD5 8419be28a0dcec3f55823620922b00fa
SHA1 2e4791f9cdfca8abf345d606f313d22b36c46b92
SHA256 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA512 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

memory/2088-1165-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\Downloads\u.wnry

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\Downloads\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

C:\Users\Admin\Downloads\b.wnry

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\Downloads\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\Downloads\t.wnry

MD5 5dcaac857e695a65f5c3ef1441a73a8f
SHA1 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA256 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA512 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

C:\Users\Admin\Downloads\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

MD5 0acc415c0de2c9e3ae44bef2116f3739
SHA1 4775c7255ad00125b311952f6e95e826386dfc1a
SHA256 3b6867ad5cf21b8171996d5c8daf6c4c51e7c5eec504bcf8f056aff782f8a851
SHA512 93aaeab66a6f46661a5224392ddc286e39d897b729d7e0b90091e3579ab863b574dac0bcd68f573fc628763c7af6a1163aee4bc5ee197d8d2e049c090681dbf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a9f111c651c01b739cb2ae898ebdbcf8
SHA1 6dc98d3978a3de05fa09321f685884ef50a6179d
SHA256 a416a2098a96f8b74e56bf49837f16942891150502b77a01205c0c45a85b2c79
SHA512 1b51754cc91d9a025537a5a5253b70171e48d2e657e4e4952cf63efed3fbd2665d8f900f66e50126796028336c19613fce5fe0aace8f06db509c4429f96743b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7d8c4cc4d92257e949bb181381755c81
SHA1 e05e2c2d6640e4e69932a5c6e45dcb3eecc531ca
SHA256 399fa9adf21aaee840d427c0c9e499c9ddf8e5482849607ea552117bccf96da9
SHA512 0e919604166be35d3b4b5306701587da5ad891eeeea05eac80f6200eb0d7dc070f88e992ae417415f641d76ece015fa7c59c505f13426c65a1ba388ec52d3f8e

C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

MD5 fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256 e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA512 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

memory/3732-2718-0x00000000744B0000-0x0000000074532000-memory.dmp

memory/3732-2721-0x0000000074480000-0x00000000744A2000-memory.dmp

memory/3732-2722-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

memory/3732-2720-0x00000000741D0000-0x0000000074252000-memory.dmp

memory/3732-2719-0x0000000074260000-0x000000007447C000-memory.dmp

C:\Users\Admin\Downloads\msg\m_japanese.wnry

MD5 b77e1221f7ecd0b5d696cb66cda1609e
SHA1 51eb7a254a33d05edf188ded653005dc82de8a46
SHA256 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512 f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

C:\Users\Admin\Downloads\s.wnry

MD5 e9d704af8c031469bc8f64f4072e6666
SHA1 d9996b97d77033e58c47356368d899d38c777b8f
SHA256 5732a37492cde541caea672d8cf5ef842020c0042d32e90b59e1eb5c67c2d5ae
SHA512 82db1130b872965b0037d10b43dd73c4ce17d2cdfbc418fdb27f5c7333bf4fa2dd8d49953009f4946a6ab7987f2301961bf735458fcf859d4c71d2b8f7c50472

memory/3732-2854-0x0000000074260000-0x000000007447C000-memory.dmp

memory/3732-2853-0x0000000074150000-0x00000000741C7000-memory.dmp

memory/3732-2852-0x00000000741D0000-0x0000000074252000-memory.dmp

memory/3732-2851-0x0000000074480000-0x00000000744A2000-memory.dmp

memory/3732-2850-0x00000000744B0000-0x0000000074532000-memory.dmp

memory/3732-2849-0x0000000074540000-0x000000007455C000-memory.dmp

memory/3732-2848-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

memory/3732-2858-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e27d2656536b4a0bfaf1e4e3d8f381d4
SHA1 79523f0b4da1fe0cfb09637d5a26f6a2cd6a1ab5
SHA256 9459bf93aed86495e3a9879572ff3436f669f66dfc84370bf80b41b6c2692b8a
SHA512 2004057b36c65555b8780848c66078fde19247633251af14ca6b4a614eba0319c73241d8689f9981e4a10259c30c22a8ca657951e525ebb8d94929a1e27aafb2

memory/3732-2874-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

memory/3732-2880-0x0000000074260000-0x000000007447C000-memory.dmp

memory/3732-2886-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db04e085610fd4e220af649d685c1d86
SHA1 b1dcb92cb4879bc53058d81cd2565c6526b612ea
SHA256 11d0ae2a16cb5e8d90342eda2e538c835ad0eda14725d7aa41ce900d488a618a
SHA512 a1752dcb45280d1b9aa0c6bc05af5f4b614cbe80c07f6e99facd3e6c6d392ea74a57b301b87ae5832e20649988933a2a97d936974359540ce599c981d5419af9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 584710ce0b36f4e88bc8ff018722b255
SHA1 e1dc51909a2256f7e668eb952eaddf67b978aad5
SHA256 7cfbd745faa4bbcc0a669d7cf885c36b43558a13a79b3a7c3eb166b3efad7fad
SHA512 657f9c44f505d2c299b8dca5ac6f49fdc348dbfffda13cc39e70d560ae316f060e1250e51663a22c524ebce79f29e7ee12589097c0948be0efdf6462ac815a92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 17b6743977bcc7a7bb29fafc37f142d5
SHA1 a06d514d3d380b8c28696bba059c62cfc54deaa2
SHA256 7475e9358cc8ec5ae95b1b485ae0f5dfea9f22c375f9ccd1107b53025f71e3e3
SHA512 1696cb3834251d9f4c1a2bd5d884d06a5efe2b53e15834f9f78d60bfb186977abedb007a37eedf3a23b9347ee44853c1c715fa50faee04b9bc8cf0d3e712b5e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8dfda389b0560ceed34a757c32b7b4c3
SHA1 aea247afdf831ffdc5cc99503a3918975bbc6129
SHA256 a8000311835516a6b500b7a7c2a838d500dcdb1e1237eb01327429dae71c1dd1
SHA512 6690ee8c70065abdca5484ae46e294c26685dfe14723e698b89f76d062f500b66574fb83bf07ef862e0aefcc6264665087c7998066b9d1c4e861815a44d72640

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2cc273a8eed59f51842f55c5aa58c27f
SHA1 0a674f644c87bb4e0dd304f1097b2fec697c60d9
SHA256 78608879e046d57f2bc10616a23dcec39f4485e4ac42071c7428c4163a622b28
SHA512 9bcb1a79e2b07ea96f35a068b11d2faa1742147e6443820b44bec1c84ba6a2f463c56ce9572dc7e8fa154477e6df12ae905030d3ba6b8b33bedee692fc6fe16b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 73d4daf24e00d987f7fca6df5d5f7fa3
SHA1 5acf49ae2b5848d6d665898ab7e9eebd6982a3c8
SHA256 394d2f684f0d2eabf9416eb116615d122e6b425c54b7250d6c6ab5dcdfdd7a36
SHA512 8e9856502e4b06d2449a43c46769d0bba214bea232ae6390f22ba2fa474db32b6e6e8345efd215afc35b337f9a1e89793ec07105cd590bb71bf2ac40f3ccfed8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fc7c5187536c7d9e3ed03b4187affb3a
SHA1 1f94bb88f903ef152fb66f41aca05008dd5bcd65
SHA256 4ae71dc72a444b927f5d3e36c3590b2ec03d4701fcaefd5001b8c496de64a42c
SHA512 1a11b6628c6072211edbc84c2723973e7f5d1d6c7ed7bfc4b4ade1ebce68dec9507f4f6655639e409d2997ae19691f2725c5b35aa91c8e83850b72d610ecbfa9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0bbefd80df1a963f70fe4d87da8b5c8b
SHA1 c67a9b865379b3ba3122888a15d5654176f5884e
SHA256 36b2c6221a0ad625345f4bfcd3580f937644b4de70bb4f31a66a5d98f4673816
SHA512 303bacd3a3126a4cae10c79792d6487c0be11d869d7ade7c6899a00b60ec72d4723b7cd52ee697ad13cc78fde73424f409f6aad750b5700d4da6225131882ee9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\13a571fe3e7dca73_0

MD5 b9614cb6642e6b98d6c0d6b58caf6e12
SHA1 d643d70cd84182e56e8cb03de4790e1cc18549d9
SHA256 de59b145fbe68d7fc334168f2cc9155b7f80f51a53e05834a99368ee6f18defd
SHA512 c2d0a3c97fee981a9f98439cb786df6f5ab7ca733f7b4e1e19f91ed51191e55ee9e8f01dc8bd825eba90ba0d399ca49aa0aabd64e590e71c196a81ee24a73a06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\719a37e8355bea4c_0

MD5 4cbb7934e3c628b8705b9965c078960b
SHA1 1f3a4f8f726e6cd75f00a7f5437e0810256a8da7
SHA256 b79d9cccb7d3d5469cef7286538d385bcff65b0f9e76e3fb2bc483217d6a1e30
SHA512 8d14a038b2ca3955af21211a6a5b9647a2c4b37c7fde198f6fa10dfa22de0312aa36548b575474e7d6883bf9c1cfa3ff7606664fac68b93826d4d4a03e45ef23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9be154965f9c63741b4e3645cdbcae96
SHA1 b8b5bbbbf1a6b43c98bb4f4a1e20a5a280c54a4f
SHA256 181508f1ef4f13f4d79f35a3b84c60a0f76cd2035b31434853698c37dc38d3de
SHA512 d61f02f49f3a57d15dff28af6ccd3be5dc6cb2e0f61e9fb3d1a5cc49353de9ebd395bbe021fedcc8b12eb72b5b488fae2635f5330226fa8569d56c115527f875

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b77ccdeada8f20bcdeaea3202b852175
SHA1 7d807b366a3dc31fdf636331da293c6d79e55a27
SHA256 4ffea818078420ee845c752993e0b04f9ad0eb0e416bcc745f1761e43f1e761f
SHA512 c4fabeb7c2f108907b20a48545a6fbfd54d296711a5f0eacf588162060c162c0a64e08f82d0f12a2fc51fc8cbaa28ec92d2acbb4236353bc093a9404160d6cad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6e1427d19ff38087_0

MD5 032a4f9ba01f4bb4e791bd832388b949
SHA1 ff08d94473891fe7b414c32d92d7cad3e921c97a
SHA256 1114c0c767c10591b752c0b015487f79af287367f8bff1f3a808dd11acb05823
SHA512 ae2bcbf36033cfa84316440ffe9afa3a032e4f4330fef125f436571ac3509b91604038951512be573de70810aaecc19daf54788d20942d10341f1b15611441e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9412c8b664751f90_0

MD5 b0eb28c740158d3b8843d5e90c90fa65
SHA1 f919c2344e6f97e372e92cd0b2bac8bb1f4246e3
SHA256 2ac45c1f82411834af860fead7e156fea61de197a57296b30375ba53c0423072
SHA512 3ca8008e5f6b2190de62b23ef5f3f243600e7a99c7292d9aef8bffb1c554257188a62bb6bc84ed0ecc25fc84e81aee4905a33544599ef554dd955e0473d58ee3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

MD5 93b69318ea029f869ec49d0b444e61c9
SHA1 adb5a2581e12874b4395a3a66a2fff946936b120
SHA256 e97fbe4c8ecbe9aa5a21ddf4e600dd7af74f182b1cab3822d43add458b4d66f3
SHA512 2514329eac1b05faf3d0b5d1bba6d62a1b403afce9e059c32724eb5e80ee38cb5e64c33006e5f19da0a65fdc34e1465d93434bf4fb205716ba4edbe19b831251

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

MD5 fdf6c71bd905b540ed7abc3cfb9fe73b
SHA1 b91319473a11c996de51e9c301f8e8569d0f166b
SHA256 15e5ae140f674439088fe3083d15cf221b51993ee95c55fdfe1afa62f8272a7b
SHA512 2ff1bdf94877977b1d05ae8a8fe62e14ab3f101a0ebe029797dd9ae757f13813eaca882c6ece3e6b934d2e342852fb4e5ba966714b11f322572c509b03f95da5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

MD5 4ed5e11fa43eb5fedaa2bdd171289687
SHA1 51c17ab06150b4b8cf6f70748d5b15c0760e388f
SHA256 666c1bedb6ad789b215a8d3597f9864b447ca12625ace95b033b2c79dc7354cf
SHA512 2012115ebafc49fcf4fb8df20df4a2b7a9c5cb2b18a68ad715dcc0fbf77e34d6481b3b7c25b3761116a40549ec001f588462ffa6358fc663c3fb874202a698fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c28ca9baabbadb00_0

MD5 a5bc8a4bf24f50ada2070309dcb5dd59
SHA1 c20e234fde0dc943397fbaffa4103d0dfe7076fe
SHA256 40a416e9049224d5cca85236ddc353df4b9c089c371e41147e67fef672712409
SHA512 ab489d5eeec71d9fb2974ff30ac4bc6bfb3a0b46f1c440b7980d6c3cd2f0b2e5331120d4e262cbe46acc90efe37c147b19d4d3e83e13a6c612b8bf7b76622033

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81f7096565c58a8bcdc3b768ebd7d7b3
SHA1 d1e86391675a2912efb551b50e61ada853108869
SHA256 60a7fc134bc272029c20dc2904aaa145ef715b743c49ece57ba9f2688dab0ba0
SHA512 ad07f83a83d7bbc3e44e58fb5f260b517173119bb13804d1e80d1b4c8aa971ed23c97c3229aaa5a76c5b41c5b617bcfa3c21fbb334c0f0cae09aae30555c6bad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a09126988388e707d41c2f03817cb372
SHA1 ca0cdfb187785c617a1c4172a021aada3788fa35
SHA256 6fe6b715b9db6136a986cc0c26bc50de5bee2aeae8480275a3a0060035cbbd92
SHA512 e22dfed49d62215f67ef7c581308c4e4e15a27dc20239bd1d6edc178de61347e659591f09f45b629cc3df1d177d18f9d9b160d5b68a011cd56d664658abdc431

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f2722aeee4cba2d1893e7e1b424ef9cf
SHA1 f5d8ec3dbbc4fc472a0309a2b98b7f74a82ddab2
SHA256 ea2a245466f6dcc2beeb6a1bafc5abc22f9f770d8667730414539005eb61cad5
SHA512 4a19ccd9c92f3fe9264bb98ad40ff282e1691ebfb26aba23ed0ce328cfcb8a1ffc24939d3b73a40a69735be6aa80990946abb9016336e32c1e3bb620dc33fb51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4016bbb98c8c6409_0

MD5 cde433a0ad69f393109c7457cfe9fc70
SHA1 91925174529eb7e4968acecffd6742de54b67a6e
SHA256 f5faf4f947051fb0e3f0b483e605444115209a721de39ad22c9d27ddf10cc072
SHA512 8e7d1aaa76704da37b2c80d2ea9e3f4cadd559d7ad4211403740b6fc04eb7caed56308a6c07f962a4073aabac636ac1c950258d22e6fe19e37a38eb61a7ee502

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\013c30e87d4d8da4_0

MD5 5c48aca761b1fe0aae6e742fe3169492
SHA1 5b4bd251ea15726032f18bd073cb185550aa3bed
SHA256 fdbee45249ecd3402f77833c3086488585d05b7023928bee1644bf578bac407f
SHA512 5f67129ea046976ebf91cda81f5a67c1b367728af1b8b9d524af6ace010c721adae59f15fd864d70dabf93dda21fb9852c3c3dede3a469e054a940b43b036ca5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\31d3611f0e13cd20_0

MD5 4a87b357c964dfce45b6fd911f0c33b4
SHA1 46350398944bd70cb86e70872d0c5ad9db56e8c8
SHA256 759ff8d2c6304b37ed7a39b36d3bccfec3fc3a06fd6a0e78736b795fa41cf2db
SHA512 e9c06204b2e2a0edf48ed14ad5db91ea470927af4532d1643a0475cb04b0be35355c109bd721349e3bbbbbe203d06ef911f5e2fbcb9602349b9f0914d8b3e0a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f5c5b9cbc406ca3f_0

MD5 20f8eefd9b499d8283628c4d3ae4ac33
SHA1 1aff4fe9b2552d85b4b0f56ab3b8bb6d512ea375
SHA256 0084eca113a83a2feff77b6555a9b52a619dd11026850b63c3417e986a4467f9
SHA512 bb3a3414f83bc8406d52eb1221be0ff0b896bfce97ffbbb101e5bc4b1bb2a5c263983ca27b05bf6e9214592150439fc5a1606d7aeb76940b035b152405a08cd1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\de80f765640cda66_0

MD5 7636f1ef52d67e4f3222e50c955cf369
SHA1 f404e4a18a01893630989c7b237b1eb02ed285c2
SHA256 b24cc8e8e3c2163b70c2e54d513c96021af5404ff1ee8ea932bfcbbfbf800e58
SHA512 589c19e7360b4ae694e172da2ae2a249f2c96af8fbf9e35b5724014880f30bb85de72c42622d191f6cb00d6095b4be8152abba13e132c6e354ddfe47a7a06641

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a02df7c313f59d27_0

MD5 5e8921ed07f8033a87a0b5292a53ca42
SHA1 32ca2ac0df71824fe5887a00b9a824857e021781
SHA256 4d9c2c0afd7e577d99b624e961da3c04055452b311d32c6c19e07498431331c4
SHA512 abf47a2ce49fdee7f92bc05d89b59f6cbd6fc4c13fe17069e008f2c2e6764f96674914a9be9fcae5a749792f817c9fffa8ae64dc5682597632fd2222e0d2c2a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2df3859e65f6171363edc21dd5a30edc
SHA1 2ce940e33fb2e968a3abb03b3de903929fd63ee5
SHA256 351f637e6d8c1f6f4f03ef7da22e8bedf672e5c5b3a675e2bae00a5a56d0cd3c
SHA512 b9220eb1c17071db7c8327c6815618088bed18b856a98a5345cbf03cbf3bbf44a6e0d14447593b3b36544b82975259fa6fc8794ea5c6237c40453b390bccd694

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3dea748200e86ebd6cb8dc2828bb745e
SHA1 72122aeee661e808e39e57c9e365045aad6f50b2
SHA256 d7aba137e75455f75d0335dcec9bcba548350371b4d2c60af77768efa4203198
SHA512 fbddbc76bf3dccb8c6a727ab27ad499c70854ae48d1aac4052046720083dd9cd761dfa16bcf551c5d5014342e0240ae5177947162f4f4653b8b849a2b93660f0

C:\Users\Admin\Downloads\9b71dc00-fd0e-4b75-ba3d-8761753b2af7.tmp

MD5 f2fe1f7dc11f7c2b0e9fec2330b7aaee
SHA1 8c2aa931e4bdc36d9e8885794525d3e12910580d
SHA256 074d2a88cc8e779f9ef59a545d37211208c1cf326fdab227dba61b6d8a98bda0
SHA512 8f72c7c68a68e2cc3ef2361b2fa3b4639cad741c4614d21b1188b2a4c3df90e53826749f6435fd58b84b9378761caab6815db3451753219f58c1f0780d7b49c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f509b8e37d4eb78706461495e2304a9f
SHA1 cf2af5155fbd71a28dd31cc79fcdbc2a969f0d27
SHA256 5e3a5b24e0239bace6daba845880c8cb231f38f3a29dcd1bf74f95996b00a1e5
SHA512 1a38eb12ccdfc011f1639b9288fa1e5f6c5e54ff56642e2997ba75827be7ffdbf1da6aa8ddb1a4798e66597271e8ed624d965bfb4d023f7589789246628feb2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f9836fc91b0fe627c55feefd99a2d905
SHA1 1655ae12f49917063f1694152fa028ef1fec0a95
SHA256 5258df49d7d3e4ee1291964e7422733d3ec09980274258356a32b2e5eda89532
SHA512 3c555195bc2a608fcf9ecb9b505e7990cbfa6024f1bfa162afdf0610b62a5bbf0708c130b32c50abd50ba8f45b9c6247135bdf0ecaa84cecea1938107c580211

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1d4f0a07ad8c3f59d66c448eab82ced4
SHA1 de1c5b8542e6a63ccb04aaa15e432dcbd115f0e5
SHA256 542ac1c7a7cd3de10e19b15124e8a10a5d50633b429d1551c72ed8f10e7b5c85
SHA512 a28d5e97f77edd86048554d59d4b6923cf12cbc2b4cd3e3973c1194b2c0c1f3d1bd747725475ff31ce9653f1052f63ad1eed5f77e588df4e7ce536e0c817eae8

memory/3856-3684-0x0000000000550000-0x0000000001B7A000-memory.dmp

memory/3856-3685-0x0000000006AC0000-0x0000000007064000-memory.dmp

memory/3856-3686-0x00000000065B0000-0x0000000006642000-memory.dmp

memory/3856-3687-0x0000000006590000-0x000000000659A000-memory.dmp

C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

MD5 5bd9cc671e33cf382823b0cb9f0e65b4
SHA1 ad4e276334fe232ef4f747177bc3b6ddb05e4ee4
SHA256 e7167a1576cb16f67613a9d3b5dcb28d42b3ae520ed2eb211e5be2c12e8860be
SHA512 242a98ea1c96eb1a316e291851745bbc33a27a3756eb4d59012aecd9e35659be175e7e95572624de168fdf42503b53dd2a485ec616aff0c2b6f8ea03b3ba20c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 94badc573ce7fa93ed9facb3525e6f4e
SHA1 4a54270f7736d6a0234b7e6aaf4c9e44a66af796
SHA256 3779ec6ba2ed2765015b9eff58351e97ea75e6c26e5afe8e5098d15d0c578a49
SHA512 c53c8a13d204735240f2d6e8a38cc928072f3e871d8e8545b281b666c8250e3ce136813cabe91a2dc82a84fcb7d15a4d608b0abfe8c8781bc38dc0bbaf032949

C:\Users\Admin\AppData\Local\Temp\MrsMajor3.0.exe

MD5 44758e777110e8f80f7a31e802716f23
SHA1 06e6a9745572fa6e0ce7a93c1d3f564ffc95c365
SHA256 45d64586e97e7200705db1072e92a376495d74f6c364763f3eb98dc3df6ce45f
SHA512 3a828f5a789cbe78ece5a4d21be30bce677b54e521f013df5f2bd02eede5a28f935710c04bd8e77de8ab2e172148187e10c7d667ea60f5190ad2b91e9e04624e

memory/2952-3839-0x000001FA77350000-0x000001FA78954000-memory.dmp