cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Analysis

max time kernel
602s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 12:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Score

10^/10

cryptolocker wannacry aspackv2 bootkit defense_evasion discovery execution impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (63) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 247389.crdownload	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Rokku.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Rokku.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Rokku.exe

Drops startup file 5 IoCs

Processes:

WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFDBB.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFDC2.tmp	WannaCrypt0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT.WNCRYT	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT.WNCRY	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_HOW_TO_UNLOCK.TXT	WannaCrypt0r.exe

Executes dropped EXE 64 IoCs

Processes:

CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeRokku.exeSatana.exeSatana.exeSatana.exeSatana.exeSatana.exeSatana.exeSeftad.exeSeftad.exeSeftad.exeSatana.exeSatana.exeWannaCrypt0r.exetaskdl.exe@[email protected]@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]YouAreAnIdiot.exeYouAreAnIdiot.exetaskse.exe@[email protected]taskdl.exeAvoid.exeAvoid.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeMagistr.exeMagistr.exeMagistr.exeMagistr.exeMagistr.exeMagistr.exeMagistr.exeSeftad.exeSatana.exeSatana.exeRokku.exeMeltingScreen.exeMeltingScreen.exetaskse.exe@[email protected]

pid	process
112	CryptoLocker.exe
4324	{34184A33-0407-212E-3320-09040709E2C2}.exe
888	{34184A33-0407-212E-3320-09040709E2C2}.exe
5724	Rokku.exe
3696	Satana.exe
3608	Satana.exe
4300	Satana.exe
1960	Satana.exe
2496	Satana.exe
3244	Satana.exe
1532	Seftad.exe
1848	Seftad.exe
5256	Seftad.exe
868	Satana.exe
928	Satana.exe
2944	WannaCrypt0r.exe
5896	taskdl.exe
4344	@[email protected]
6012	@[email protected]
5788	@[email protected]
1316	taskhsvc.exe
5432	taskdl.exe
3704	taskse.exe
5324	@[email protected]
1648	taskdl.exe
968	taskse.exe
532	@[email protected]
3896	taskdl.exe
3264	taskse.exe
4924	@[email protected]
5844	YouAreAnIdiot.exe
1268	YouAreAnIdiot.exe
5504	taskse.exe
3688	@[email protected]
3012	taskdl.exe
5256	Avoid.exe
1508	Avoid.exe
5860	taskse.exe
5776	@[email protected]
3324	taskdl.exe
3660	taskse.exe
2988	@[email protected]
1736	taskdl.exe
5216	taskse.exe
5684	@[email protected]
5980	taskdl.exe
3016	taskse.exe
2728	@[email protected]
5668	taskdl.exe
3788	Magistr.exe
2684	Magistr.exe
5128	Magistr.exe
5772	Magistr.exe
5700	Magistr.exe
5528	Magistr.exe
5420	Magistr.exe
4816	Seftad.exe
4284	Satana.exe
3284	Satana.exe
4240	Rokku.exe
5808	MeltingScreen.exe
5896	MeltingScreen.exe
2704	taskse.exe
1284	@[email protected]

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

1316 taskhsvc.exe
1316 taskhsvc.exe
1316 taskhsvc.exe
1316 taskhsvc.exe
1316 taskhsvc.exe
1316 taskhsvc.exe
1316 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4636 icacls.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe

pid	process
4636	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hbqpqaznjyrqx231 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

62 raw.githubusercontent.com
63 raw.githubusercontent.com

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Seftad.exeSeftad.exewusa.exeSeftad.exeSeftad.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe
File opened for modification	\??\PhysicalDrive0	wusa.exe
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]WannaCrypt0r.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Satana.exeSatana.exeSatana.exeSatana.exeSatana.exe

description	pid	process	target process
PID 3696 set thread context of 4300	3696	Satana.exe	Satana.exe
PID 3608 set thread context of 1960	3608	Satana.exe	Satana.exe
PID 2496 set thread context of 3244	2496	Satana.exe	Satana.exe
PID 868 set thread context of 928	868	Satana.exe	Satana.exe
PID 4284 set thread context of 3284	4284	Satana.exe	Satana.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 755769.crdownload	upx
behavioral1/memory/5724-528-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/5724-759-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/4240-3469-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/4240-3473-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
400	4300	WerFault.exe	Satana.exe
5332	1960	WerFault.exe	Satana.exe
5980	3244	WerFault.exe	Satana.exe
3676	928	WerFault.exe	Satana.exe
744	5844	WerFault.exe	YouAreAnIdiot.exe
428	1268	WerFault.exe	YouAreAnIdiot.exe
3608	3284	WerFault.exe	Satana.exe
5572	4240	WerFault.exe	Rokku.exe
5172	3768	WerFault.exe	xwizard.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskse.exe@[email protected]taskse.exe{34184A33-0407-212E-3320-09040709E2C2}.exenet.exeSatana.exewusa.exexwizard.exe{34184A33-0407-212E-3320-09040709E2C2}.exe@[email protected]taskse.exetaskse.exereg.exereg.exe@[email protected]taskdl.exenet.exeSeftad.exeYouAreAnIdiot.exetaskse.exetaskdl.exeMeltingScreen.exeGoldenEye.exenet1.exeSatana.exetaskdl.exeSeftad.exereg.exetaskdl.exetaskdl.exeattrib.exe@[email protected]taskse.exenet1.exetaskdl.exeGoldenEye.exe@[email protected]Magistr.exeMagistr.exequickassist.exetaskdl.exe@[email protected]Avoid.execmd.exeMagistr.exetaskse.exeMagistr.exeMagistr.exeCryptoLocker.exeYouAreAnIdiot.exe@[email protected]cmd.exetaskhsvc.exetaskse.exetaskse.exeGoldenEye.exeRokku.exeSeftad.exe@[email protected]taskse.exeMagistr.exeicacls.exeattrib.exetaskdl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wusa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwizard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seftad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeltingScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seftad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quickassist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rokku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seftad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4340 reg.exe

pid	process
4340	reg.exe

NTFS ADS 16 IoCs

Processes:

msedge.exeGoldenEye.exeGoldenEye.exeCryptoLocker.exeGoldenEye.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 9895.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 175098.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 247389.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 286475.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 495414.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 471419.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe\:SmartScreen:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 315084.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 509915.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 429042.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 755769.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 829777.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 560967.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe\:SmartScreen:$DATA	GoldenEye.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemsedge.exemsedge.exeMagistr.exemsedge.exemsedge.exe

pid	process
1000	msedge.exe
1000	msedge.exe
3164	msedge.exe
3164	msedge.exe
1472	identity_helper.exe
1472	identity_helper.exe
312	msedge.exe
312	msedge.exe
1532	msedge.exe
1532	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
536	msedge.exe
536	msedge.exe
3544	msedge.exe
3544	msedge.exe
5976	msedge.exe
5976	msedge.exe
5960	msedge.exe
5960	msedge.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1316	taskhsvc.exe
1680	msedge.exe
1680	msedge.exe
2860	msedge.exe
2860	msedge.exe
5568	msedge.exe
5568	msedge.exe
3788	Magistr.exe
3788	Magistr.exe
5188	msedge.exe
5188	msedge.exe
5480	msedge.exe
5480	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exemsedge.exe

pid process

3332 OpenWith.exe
3164 msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5776	WMIC.exe
Token: SeSecurityPrivilege	5776	WMIC.exe
Token: SeTakeOwnershipPrivilege	5776	WMIC.exe
Token: SeLoadDriverPrivilege	5776	WMIC.exe
Token: SeSystemProfilePrivilege	5776	WMIC.exe
Token: SeSystemtimePrivilege	5776	WMIC.exe
Token: SeProfSingleProcessPrivilege	5776	WMIC.exe
Token: SeIncBasePriorityPrivilege	5776	WMIC.exe
Token: SeCreatePagefilePrivilege	5776	WMIC.exe
Token: SeBackupPrivilege	5776	WMIC.exe
Token: SeRestorePrivilege	5776	WMIC.exe
Token: SeShutdownPrivilege	5776	WMIC.exe
Token: SeDebugPrivilege	5776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5776	WMIC.exe
Token: SeRemoteShutdownPrivilege	5776	WMIC.exe
Token: SeUndockPrivilege	5776	WMIC.exe
Token: SeManageVolumePrivilege	5776	WMIC.exe
Token: 33	5776	WMIC.exe
Token: 34	5776	WMIC.exe
Token: 35	5776	WMIC.exe
Token: 36	5776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5776	WMIC.exe
Token: SeSecurityPrivilege	5776	WMIC.exe
Token: SeTakeOwnershipPrivilege	5776	WMIC.exe
Token: SeLoadDriverPrivilege	5776	WMIC.exe
Token: SeSystemProfilePrivilege	5776	WMIC.exe
Token: SeSystemtimePrivilege	5776	WMIC.exe
Token: SeProfSingleProcessPrivilege	5776	WMIC.exe
Token: SeIncBasePriorityPrivilege	5776	WMIC.exe
Token: SeCreatePagefilePrivilege	5776	WMIC.exe
Token: SeBackupPrivilege	5776	WMIC.exe
Token: SeRestorePrivilege	5776	WMIC.exe
Token: SeShutdownPrivilege	5776	WMIC.exe
Token: SeDebugPrivilege	5776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5776	WMIC.exe
Token: SeRemoteShutdownPrivilege	5776	WMIC.exe
Token: SeUndockPrivilege	5776	WMIC.exe
Token: SeManageVolumePrivilege	5776	WMIC.exe
Token: 33	5776	WMIC.exe
Token: 34	5776	WMIC.exe
Token: 35	5776	WMIC.exe
Token: 36	5776	WMIC.exe
Token: SeBackupPrivilege	5676	vssvc.exe
Token: SeRestorePrivilege	5676	vssvc.exe
Token: SeAuditPrivilege	5676	vssvc.exe
Token: SeTcbPrivilege	3704	taskse.exe
Token: SeTcbPrivilege	3704	taskse.exe
Token: SeTcbPrivilege	968	taskse.exe
Token: SeTcbPrivilege	968	taskse.exe
Token: SeTcbPrivilege	3264	taskse.exe
Token: SeTcbPrivilege	3264	taskse.exe
Token: SeTcbPrivilege	5504	taskse.exe
Token: SeTcbPrivilege	5504	taskse.exe
Token: SeTcbPrivilege	5860	taskse.exe
Token: SeTcbPrivilege	5860	taskse.exe
Token: SeTcbPrivilege	3660	taskse.exe
Token: SeTcbPrivilege	3660	taskse.exe
Token: SeTcbPrivilege	5216	taskse.exe
Token: SeTcbPrivilege	5216	taskse.exe
Token: SeTcbPrivilege	3016	taskse.exe
Token: SeTcbPrivilege	3016	taskse.exe
Token: SeTcbPrivilege	2704	taskse.exe
Token: SeTcbPrivilege	2704	taskse.exe
Token: SeTcbPrivilege	4624	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

msedge.exe

pid	process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

OpenWith.exeSeftad.exeSeftad.exeSeftad.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]Seftad.exe@[email protected]@[email protected]

pid	process
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
3332	OpenWith.exe
1532	Seftad.exe
1848	Seftad.exe
5256	Seftad.exe
4344	@[email protected]
4344	@[email protected]
6012	@[email protected]
5788	@[email protected]
5324	@[email protected]
532	@[email protected]
4924	@[email protected]
3688	@[email protected]
5776	@[email protected]
2988	@[email protected]
5684	@[email protected]
2728	@[email protected]
4816	Seftad.exe
1284	@[email protected]
5348	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3164 wrote to memory of 2148	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 2148	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4484	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 1000	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 1000	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe
PID 3164 wrote to memory of 4400	3164	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3676 attrib.exe
3452 attrib.exe

pid	process
3676	attrib.exe
3452	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb55646f8,0x7ffcb5564708,0x7ffcb5564718
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:312
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:112
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4324
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6444 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Users\Admin\Downloads\Rokku.exe
  "C:\Users\Admin\Downloads\Rokku.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5724
- - C:\Windows\SysWOW64\wbem\WMIC.exe
    "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5848
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop vss
    3⤵
    PID:3848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:5296
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop swprv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop swprv
      4⤵
      System Location Discovery: System Language Discovery
      PID:1108
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop srservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop srservice
      4⤵
      PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3696
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 376
      4⤵
      Program crash
      PID:400
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3608
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:1960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 340
      4⤵
      Program crash
      PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5976
- C:\Users\Admin\Downloads\Seftad.exe
  "C:\Users\Admin\Downloads\Seftad.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1532
- C:\Users\Admin\Downloads\Seftad.exe
  "C:\Users\Admin\Downloads\Seftad.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1204
    3⤵
    - Program crash
    PID:744
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1172
    3⤵
    - Program crash
    PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5128
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5772
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5700
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5528
- C:\Users\Admin\Downloads\Magistr.exe
  "C:\Users\Admin\Downloads\Magistr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5420
- C:\Users\Admin\Downloads\Seftad.exe
  "C:\Users\Admin\Downloads\Seftad.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4816
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4284
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    PID:3284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 340
      4⤵
      Program crash
      PID:3608
- C:\Users\Admin\Downloads\Rokku.exe
  "C:\Users\Admin\Downloads\Rokku.exe"
  2⤵
  - Executes dropped EXE
  PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 528
    3⤵
    - Program crash
    PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5188
- C:\Users\Admin\Downloads\MeltingScreen.exe
  "C:\Users\Admin\Downloads\MeltingScreen.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5808
- C:\Users\Admin\Downloads\MeltingScreen.exe
  "C:\Users\Admin\Downloads\MeltingScreen.exe"
  2⤵
  - Executes dropped EXE
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15388217986198374414,7466936887094038035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5480
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:6092
- - C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe
    "C:\Users\Admin\AppData\Roaming\{f07c8dc8-bd45-44f4-9eaa-072378b31bd6}\wusa.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:944
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2912
- - C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe
    "C:\Users\Admin\AppData\Roaming\{2e999f7d-1650-4a7a-a02b-657ab37065e1}\xwizard.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 520
      4⤵
      Program crash
      PID:5172
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4000
- - C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe
    "C:\Users\Admin\AppData\Roaming\{66644bc6-3c59-4dce-a2b6-9ae5dd9075fa}\quickassist.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4300 -ip 4300
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1960 -ip 1960
1⤵
PID:1320

C:\Users\Admin\Downloads\Satana.exe
"C:\Users\Admin\Downloads\Satana.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 348
    3⤵
    - Program crash
    PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3244 -ip 3244
1⤵
PID:6068

C:\Users\Admin\Downloads\Seftad.exe
"C:\Users\Admin\Downloads\Seftad.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5256

C:\Users\Admin\Downloads\Satana.exe
"C:\Users\Admin\Downloads\Satana.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:868
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  PID:928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 340
    3⤵
    - Program crash
    PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 928 -ip 928
1⤵
PID:1060

C:\Users\Admin\Downloads\WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCrypt0r.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:2944
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3452
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4636
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 36241730811719.bat
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:3668
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3676
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5788
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5432
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4340
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5504
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3688
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5776
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3324
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5684
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5980
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5668
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1284
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:4072
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5348
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  PID:5372

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4344
- C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
  TaskData\Tor\taskhsvc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5844 -ip 5844
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1268 -ip 1268
1⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\README_HOW_TO_UNLOCK.HTML
1⤵
PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb55646f8,0x7ffcb5564708,0x7ffcb5564718
  2⤵
  PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3284 -ip 3284
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4240 -ip 4240
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3768 -ip 3768
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
725dc50f5c862739635baf71468799bd

SHA1
ebc9122d36b85d8ff398f8c5e12a6190dca4a009

SHA256
b3fb55692fdb004df10fd011dc97cd56f7f5230ffced4b68ada3c71c6f4616a0

SHA512
8147655c9b1a635f8ffede3e2052fa0bb01e6a3e05439ad4bfdf0776cc4d5230c081b7e2dfb5b2002d5e27576c96868a5a00aea33d27b4e2fd50171ae06ee21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2f7a1751176255054058fff6e12b028d

SHA1
424a5650e244193a3eb0f584062d5e157b36719c

SHA256
35c40c9a03266c41a698bf1c21cf52ff2bb1b1847541bfe4d9f789b13741335f

SHA512
657ea99cbea3fd69216747433992a6fc861d7fb860c974d939f1a296b82607e7c8785def9266b63faa5132d7f598b14d36486486a5400876fd6a20dd86ece375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f0e309699c13a677cbe189be99e29856

SHA1
ec225b6df4e8d0e8935fb28ddc9c8a859612999d

SHA256
4b6c47e69114e8ed0658021b1d44c8b906598260b71dbe877b94f4027eca633e

SHA512
9b6cdf5889487c94e0e91c3a72dfffcde2e09c8285dc93900371784b51122385c921c7052ea6c93b65cfc9b55a1816b4eb1c115bc48adfe79dbed6087af3dc7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea7577a47e2807d355ade85381c0dce4

SHA1
3304edb10c4d6e5e4000e8aaebe6d9d8a6ef4ef7

SHA256
8c78d2922e755eb4766f5de2eeab3f02f38f5b04a4694a77eeb2f293cb4484f5

SHA512
efa812a762bacc9bb9e924112130127acb5970effcaa74fd6a9c4df93687c53cf2606189a5f5a37dd82bc77dbdb0c9522b645c103b442b2ce4dec48b4cd30f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a2467ba315551813fa5652163ec9af7d

SHA1
3472e18b050b70ac923089bf4612b1aabefe970b

SHA256
b8f18d1f00c64eddb751149fd06503a5e9c94097bf6636f1af26e92435af0fea

SHA512
4a418c595b39a14b923d9c5d85051e5b5910fb18e4f2c6f7196330686bd65c0f71eb560efe89cf3156f8c939f7070bb3e0c815fd404f9173ce77593f1c80061c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1060061407d6e2e464b9e30e09aec582

SHA1
ad15501bee081ef349cc25525205782c33296bc3

SHA256
af1291277b0a8a7c732c371e1fcafcb11e06bdbc5c0b49ca638fbebf383f7756

SHA512
280bba2faf523659dd2cdd423145415360eea2a81e58a2b7ac7afc438c9a8781cc7c71a28517785db1e2eeee349e6a3e52bb7a1635c7c70b300c7e4938c7e7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a7d9b5786e65d0f7b2bccbc9bdc7108d

SHA1
f984efcabe194b94747933ea46824ef3ebd96cae

SHA256
0ea85f1ddc0fd717d31a60eb7e472bb45aca6197f7df39eef0b1f61370f64ac5

SHA512
a771d4dfd25f85fab9dba2755ca5968e33930e5f8da2fb8dacdc6ba52445a111399485cf3325fcb35f46978f66ac36778bfdcfe9b20c122e70a1eb61cac53804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e73f838005e7bfb1bb12102c02ca705e

SHA1
3d13bb96f25ec461b20c6202e718077a12d6ecb3

SHA256
52695b967ab80f06083ae29eef5ae7b07a342993ff39ca3e0d4a25b5abf9fc74

SHA512
ddc9b2a31751dfd33dc59186b856f7343aa57d60eb5ea953b334a5cd34ceb2422eaea9ddfac389645306f885b980015aa2cf745cff523b13c65fb61285157d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e628ada762efe1fd9efa8d583e12003d

SHA1
7411492b5cc5fe435f914ab0a362a0c821be8f28

SHA256
1d86975a1cfe4a9e22b82e737dba1f417932292762a4c874be5b77727cf99e04

SHA512
52c96150ce3a07b8ecfaae2c5fc7c82c2b991090e489c37a35e7d89a1374a54348b88a71b0ada2098b47e95c5366a0fca182b4f5e94afa779a4ac0937116b7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec0ecd936c514819afbb1612663323bc

SHA1
b00d7cc3f310b69a6c827ec7695f5edc808d9a58

SHA256
effe072e2e4fa6edfee385210122e158cfcdd0b7130c7bf5d79483ba1ede22d1

SHA512
a1e931d6691962d1426f1c69cc4ab81d9c662e6ad718c42e9c34532a5087347013d8389d29b2481749bde14c2290bc80c4ad6b876bb31e0977ecaa00b0e45eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51ceb9ae27738fa25ffcfd2d92454d73

SHA1
2fb0b4bf4cdba2d58ef958621ca9832f40aae811

SHA256
37def950cbdb55320d4c88eb13856d77d3c2d198453771a52a2dd153fb697814

SHA512
847b2af4b7eeeb0699255ca489c9a1e510688727e78ea2e95ce42c19935c529d46a79f815e183f8090744536684ad34643b85b955532ccec24773b9a40c9e761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ed0a71f109326418afffe2d8d80031d

SHA1
0dac71703f0834ebb31f0ae10771450975c82eec

SHA256
b220e686b0b283f1d1cdc746daa123ceecae089a7c4f16283c64a88b339918d3

SHA512
81516275f7f6c21e02bd993f9aae9b00eb43e5130a9c814df0685415f3bd4147beacece458216b007d83d7751af089f15e7c0cc636aea6001960eac60d945686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
de8dc5e04d8e9fa318236e3cea0e6b00

SHA1
298b9410d8ed643e5567ccce099556425f67671f

SHA256
a4157cd8d97868a93d58f3046f9f0c0685cc54cf7d2bdcc6e21b455b636b13fc

SHA512
ae6fb00b5a22cea90fb5abee0792b1190b96f4ee0f8124f08abb4c06e625bea5a1805754b2f480d6429f5fd0d9335ccf6118828cbeb14bd3a8bce7b8fbadbf31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7190b9e80d15b80dc486742503cd8972

SHA1
1736a6d242796ea2d155c670099eb5e5779701d2

SHA256
7b0f6194bf99f1c8fa8140a321604216fd0e787706cbaa7c7acd8d3d14509f70

SHA512
88b83985c351bd63e1e80e2da8dc2211bb460cbfe363a2a71d9f50e1660431019db72b186f2b0f2eac447c39a6612bcc5f79f0cc96162e7529cf696fdc7bf15b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e5aeaccc0aef62667838f696a2c8934

SHA1
c03c9989020d76bbc91490b3e6bb0efa28c607af

SHA256
7e4b41213b84adf0b260c3931923f187f1eb39f8ec01396d988f29f98edad3af

SHA512
93d6c509adb57713eb28313585825e42ba34d505e028cb3c6040bf43c964921f406a6d6026730e9e460fe470caad06768baf6784abfe494a1ee3e458f70a0784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ea398a39bcae958a38c19b8e7e71173

SHA1
21c3b107c2c5566310c120e5d2d53983547bdc2b

SHA256
6dc8c13c34ec4a9bdf7b3cdb2f1ab8f32d77eee3ebef2293a845ee7bd1c27870

SHA512
4ee47d1055d5b152c317c7fa402dbf514ee54e0522aedc1e0270d09585885bd7273338a73c6a0d99e13c267c8ac27a6b62573cb45e6b2b7ac6e9111cc7401754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
17721675fbb925b9e33b88edbd23d2f5

SHA1
badabb795ae364c636211447db648453120fbc3b

SHA256
4c700ed8d21a6b3a490e0c5ed31720a0e9608601f5fbb5768eb73eae17a46620

SHA512
30e46f59f34c306f0f682844f217def1bdeb05e94d98137dcc8337a344a1c781c4a7baa648ae445fd4fd965c96c20d5517eaf9daf1e200949ef8dbfa52b9e210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ba2689767770d11375cdbe1e776715d3

SHA1
baa65eb5d7dd6e33cfc7f3db0f6ad5630d295eb5

SHA256
9629147a327656265aacfde3bb0824f743f3a2ec4f73cc934dadeb5ae18d3824

SHA512
6d7871744e82153511bec93c251e0df821fa5e16941b06204dc13671f3fabea14a6ec1c6b11d66bc17110d3140af72cf1a37bf9c18feef03ad7b6cc713380244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca963d61daae29ec91fbff5cc9fd95cb

SHA1
0971a52eb14649cb8ad4f342107f1a860c1a9a70

SHA256
6ebec5c045296e926e062e1fd5dc83ee1d06b24adc5f42bd4b649ec9eee6d1ed

SHA512
d7ad94fefb1e4adce185f01aae85b71708b47a023847fe7521bb6c1965fecec56d33fdadcf472574ca989185fe31a34a3ef5e0fb4b0904daed1b9a84ffb4c2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
becd27b548e8d01070e75953fa5788e6

SHA1
2eefe905e958c9e6545c2ad96d4c38fda2aa6c12

SHA256
95e56505f97aa8d90009d44f502c87ed67b8fd90b315646eb24c6d01b046c8fa

SHA512
98951fdf1d02ec6f9c5eeee725c5390a491c54d470f115e763009bb9aeefacc06926d317eaba45ff58d49c3a6c282749fd3efcc80546d80e1d3f709ceb116d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1896c0bd1e0e2f002710215bc62f1629

SHA1
a93eb0f81ce9ebe751def80b287e9a1c6566fbb7

SHA256
ef8cb9bcf0bc3d114c39fa6eb776f689e8afbf9fd34310328a7aaceacfce6f0b

SHA512
fc50b68053147aafe65778e6f325d3c0b349faf11fdcb001df524721f5495e3d0313d3c60c16080da0c350acdf9e9717f4e08289c784a1f89165e6044a47ad98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3ceeebd8c95f1de46baa6af45a1dd63

SHA1
97d0c297f89dc06ea12d58c5c05db296cc6aee99

SHA256
7aba206ff737418ffe00a21ef0e1952c83b6b99dda2e932aa920d310330bd2f7

SHA512
b00c6162065b7f59a97de871c8ce1eec7b2cd512ea1072234a61c42d55e75a792e0a6a05169e8fd580fd5b286d70652b136df3e0e4f70b576d2ff67c1d946641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bcca02baed06f50e795cb6bfa89c0698

SHA1
a15b362bed0e1768c1524eb939928354c40eef53

SHA256
96a12de4cbe1c677d0be7a3db529c989d8c9591e337190c12924ef41bc783272

SHA512
b608d378b5c98db1bea02c75d35debafe6bbf33ac96c3ad6a004d5fafbd0bab82bbc611e0d7ee068fdc9fa0767f4ccb3f7ef22f580de40fc0bbe668e74e73416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc15ed034cf7b7414838519c894d7bc2

SHA1
22c8a3dce906c0f0306dddc9f9eb65858c648dbb

SHA256
d39a50e83b955f8573fd185df31899a0f0c4729e00df12ed776969a9e8cd2e57

SHA512
fd72b7c474a4261ca02d21ded060cf9b3dd8d0266c5b3ba7141fe06cb150721c2296d8744a4ea28debfd5bae3481f7832c95d2a91f682255b8778c1bd901fbb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
900dd7748420edf6c2b84d3796ff2ace

SHA1
e391787fc66acf007fe2927ada2fba56215a5877

SHA256
e1e87c1419f2b371196a19907db541546799e724c61cc6a59de43051a9f38053

SHA512
77ab6da90193cf62e0637f14ca5a3f95fde83397e765486a9eb4a69a2c1c02cc3b8fd182aad1acef915339a91ba2f5347a58c58c150e57df53797ed7425d2237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8341e68f7240762312d5298d2cfcb042

SHA1
27b8d008c904c6121bd9c52507bb23f7a516ddfb

SHA256
255f9d2e4b6215a9fdee7adc7d867189426ceab411306084c183b43812db889b

SHA512
1042a946dd17b416154b4f547ac23877f2a5fa064914bc3097540518f092f4fb51301f0f413b61873963f889a700403c28a175548ab06bdd76576b238cc937d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9fcce5c4cbd792fe0c6d0a60a12e8ec4

SHA1
aa10ddb1fe1fe0b053defb94a74dfeed20ba4cf0

SHA256
3b6da3d150115e09d02674826c372e123dbfa569d6075b6dd8e0e08edb07d499

SHA512
2400b7597f4e63d30996fbeaa0700185a5142629ddebbae20faeea3c5ebdb5ec675bbd052f87e9daa43bccb3984ab21cdc0d59d2372b04cccda8de6377a98138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b89e22304e3d7e73227f64056f62cb17

SHA1
07f18fbad199aba58c068cb13bdbb7c306849b51

SHA256
6a40e75874ec7b69e12bd52fbb2089c23bc2da7cd69f95a740bc8a2fc35c03b2

SHA512
b8095eac22e562122338df49bc2b9660c8e91ff81b87baa793ab4f29b0988586d58c129f6c7c48b4b140ab1aac123c7bf089c7efa5bb79726b40bcd940b9ae89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb77b7db5574dbb4d0243ff6297dc279

SHA1
91a303a6645c924987e5e07962236035ee00b088

SHA256
5e867ff32d0a6e1352e1b1765ddb5844143897973c4e7e386d1dae41001cf4c0

SHA512
8c90f4c525fe68dfa6e134688a4eefa64747fbb2f2667d775661bcbb935493c65b758f5e69e19cf2c177e0a2c3a6cbde4afe233686779ae7f0fde049dcdc34e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b31a0c78eaf7583642e631a09c0eff4d

SHA1
fc70aa858def78d723ad3f9517b6b1bbae90599e

SHA256
89c6a890397bc8a2274fc2140aa7ae235847ddba6b5373de77f133c8339559d5

SHA512
cbca045dee08262ba49e946a484cbc8800c37ede8906617040964bad4dfc36689f641e2fd493cbd62b2e80608bcf4db32e366d511444238220f21a8190f6c09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
598c2251416efad45002fabc0ce24cb0

SHA1
0f30ffa1d35bdea0f989de216ca1b02e8f4cd0fe

SHA256
886902cdb24d702bec7f1b2d46d98cb03e6536f1c40ffbc6cf75ee9849c2f528

SHA512
61f81872786fe89b8fd7fb7fb05d6d960c5e4561b2fd5c44f29bf8d3e76ee0dcf48421e4c86804dca58684f2525c7a28028d013882ca8de3a355a121ca408c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0586e58eae5de1b0d4f14d74ebeeaa4c

SHA1
b7ef0cdabc1ee9f087dda9d3df37abe11fcd64fc

SHA256
41cbea9850a7518186ea2d50e7176b36d9c69c0f2ffba0f8d21a63de9fd792aa

SHA512
f743c6ed416bbe9f6a8481c98b6efb52521e91b0678ef4cef9919de2c4076fa4dd3f9f7a5d583a658ae0e312703296f9e5e219b7e30953d56ececf0e5a326b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c00672a1583488340ffed35f2900f6c

SHA1
40fbfd5b86501b364d76ec24b2e1697f1077b5fb

SHA256
beffab248ed1b5285a82c4a68dc3cd123bf29ca86d19fb65face24823fe17384

SHA512
9d206f47c1501c4eee8553b62d4a31f99cd13629aa05a3c4963961e53b43343c7cc41294793eb6992eb804eced4f488a62011f3907c92a08ced3f6ee83209e96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b6f7322cb64b6c5b631e83aac3fcb7e

SHA1
c9f315f84a1c0bda6a5b6661a73dbb006cd6ec09

SHA256
13c9585b7109e002d49dbb6fa97aed2351947d47fd3e45b28f6abc95895c4484

SHA512
14b3d57f079a64e2153f7a3f972b34033f178f24e2949630391e3f38a79481560e24fdd6312ea6107b48ea5d38a78c2c0288441102aae398222c8d84aaa0eb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b1c5f6bf30067edf4b826963dd4d36cf

SHA1
5310c967da9bf275c25d26dcffde22a59231cfee

SHA256
f54b48975384fb658792e6d09ee3135f6da26846679c5bfb35f46ab310911be7

SHA512
97ff022fd9a00f398231ffeff50a2e3dcaeba0fde293bd1fee2d817c6613e5e60931d4cb4f14f1aa16de9dd3c3fcf25f4eb070d341992c9742664b5df0dcc1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15190fd705b1999d18b717d92989911f

SHA1
d7cf44703ab936d5e527386f472e34d903f4ef37

SHA256
ab0ddbc5fde5e2987ec59094071f1309194cd565448261104419c6215644b705

SHA512
5bf45ddaff33efe7cef966c58160e8da7a5adae1e422b9880d38ea70e247c8172446642cf72ffa7f2556b7ea7ce236bfa129a306ae1d4cf3e6821c47584181c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29d094e4ad00bf9706119c1514be106e

SHA1
d18df8c3d91b4959e132e2a63678a7603e0cb9fd

SHA256
b291baab9eab8342d4d853c474912ffc55e4fb2093877bbbc0437cec05a8fa61

SHA512
2d651585323bbb2b2163265d4b71e5926d0b557e000d4cee4e44a755c1e7d97150c409400f4bcdf4908f28fd6342d617e191bd0c3145c9adb45ae0be18aafc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581ab7.TMP

Filesize
872B

MD5
0ad8e3c5f3d37de07f46cb3f50b4746b

SHA1
a78c13fd701cdf738000c0cf4a4ff5ee0d41953e

SHA256
04d1f4d34a4dbdf8ae21ba721c60e4eb8d364aacba29ea517351459cbf00b667

SHA512
9eff762093e82f383be81f403d2ecfe8c7777bdc79c79cdd1ce87dae18fe53d79ec4213b1bd6b597dadd5410afbd08042bb481e4ef58dea783272d242d4b6afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
dc7fc77df30fdcbbcfeb57d2c984d908

SHA1
694933d6eb9865650089393fe13473e1a7669458

SHA256
754b706302cf7bd17fae7148eb2644681df73557621039480837933e0f86ae7f

SHA512
7460281147b73e9d4efc247ccf0d95de33698ebce55380c1a08bb179fcaf4d6b04a49f3e8f0187b5c8ff2e01d9a2fb4086319344b0e83e36dce328e338d2dc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aa8675bfefbcffcdf993872917b85bb0

SHA1
c991fbc928fd561ac48794981d35e4f01be733b5

SHA256
7fc98cde5af9970015edf7729d8e69378ae7ccc0546495923ead92becbfd36e6

SHA512
9d688317b4b3c6ee7e66fec2729bdf56be423821ed95d5c3c0abbb63911d45c74e1fb4e8a462af07baa74a33407044ec8225594269c1e5dd3be8c5f227782e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5312dfc2207e931eb95b24790f62456

SHA1
d608373a416100a9a1cb43b43055626d56aed134

SHA256
d1a523ceb28345043b71e1f8f964a82227ebf3a851d035789e9486df7eb00c79

SHA512
195234badd55a8d1d36f1aa8c4b1b475e29e7525c53affb3a493513fd9563eb5e307165292bc3796b835b2678cd7778998d243eac833fce64225ce0a80018da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fc6cffeac089d69650628cf5af740394

SHA1
fc34f97f4e3dd2f9016a2649be7a34eadae0c0ed

SHA256
4fb426303da37085718f420b99bc4f5172f430ebd6b287b232a27106eb940fd6

SHA512
03d12b21ffe55111b0babaeef0a2e9ee747a75d276d4d7d711324697228eb9f8d68e415b153edb3fcb085b4ffbd6a898f4818e2cffaf17cd144b3f5f71877bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94033fba1db4e13e019307714d55861c

SHA1
0d32ded859e39d9aeb85f0ddb700e389780f4672

SHA256
d42d61a32814e88dfd49666053f5fc4a9c1fd8a779254f1b0d5a469a33f85126

SHA512
afd7b3083e9f3d899825356bbbf7018695e1f67851bbf76d9e1fbd509df28f6d73baabea2b74df6f20b4bed780ea75aad134b08cde82875e3caf5cfd2e7e2235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4a88a8cdefd8e9f2d382a1fd97f03ff2

SHA1
d89cfdf8603c4c24da296347e7b44c559212f69e

SHA256
45bfd8d5868c1f8a72834a84a6c12eea3f12138403f9f0925726b22e32e678f7

SHA512
043a5ad853a2a6c368a7049552c065f7c6a820fcd9cfefc7ae2aa2d6eb420bbc9d0f3f68244b690b91dcb174e4f8e3be21cf7b2cfbe23971a395478c557698f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2b87af10a85ec79b36f3f84abdc05412

SHA1
ed7528ac48363e8f06cd266a9a7eb02c6d2b0ce5

SHA256
0797e8850ab4695d38b00f827d1fe45670c2baddee5dd7f2903b7e58b709be54

SHA512
3ae2d3e93e0d76363a4974fcfc1a30848531daffda9495463e5c56e82cbac153890b16d627212faecb7939259bc92c98a85bfa88a35c85d2322500946a0181b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
420ca0a9a4b48794b8f0ed8515ad5e46

SHA1
38c9a17a6fcf976cf27fc80bea84e19b4bcc1164

SHA256
c6a675810195f045ce591b5d782729197c1afe22e9f5959661068a01ee9bdd32

SHA512
6f4683022676af2f8398d37ef8506604d1fe1112630fd67647dcf5e035a0e95708c61e48cc6bc55643bdb708e712be0abaa6242c2112e83cf724c1b8ce343dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
600c68714ff8e8358fd3a9d003d06771

SHA1
bbce84e5e13c58cc6f0fbafa90e3fcd0d6269461

SHA256
634f59ed7aa6e79f8b8a0d73b13ebe44a7a05616166968c8f2739c9c81a332ac

SHA512
f5f5fda8898e6e14e46ec541e8aa7eab7bcee592f028afe7a368a113761f5324ff459f87d4b37c310c339a3361511fb2eaf52745d9e05bf702b5860df14881a8

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.7MB

MD5
1189fb78a0093be60ff0d11c004ab9d3

SHA1
c715d1d0e25246a74fec91c5927f19068fd2c911

SHA256
de81ccd10bfd7ed78aca4572490750dc9c446d193ba129046a0d043ed6f68ca4

SHA512
412fca74200a645e274009eece1d6c00c349ab0513e1c86c2fd0506a6aa7289e648c01edffe9cdece387b99732ee6585fb550b3eab9635c8ee98de68d341059c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

Filesize
585B

MD5
ec3037f4f79d43f3826baa9dd89ac2fe

SHA1
166fc2e9a7110305ae8ab012676f31f2440d52ea

SHA256
a4f687d19e09328134718aca5bf6f52df123564a33ad23a122abd088611bff77

SHA512
ec036d3b5e49aa58a3cea4ec6e6707c465c25bc819043166e42ddc6277a318f6c2a94f97d5393e3c0befbe06e8f734f4a634a4af47e97b1a1be575d5afae5708

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\BackupCopy.vst.rokku

Filesize
333KB

MD5
d15c20fc4391f6580ac28d75c738f696

SHA1
f7e47fd9a9a0b8ec491df299d11f584e00294ae0

SHA256
5b3a1b4497c80679b28d579d5155540be7bbc65883c99892acb9fd6f9685a5ba

SHA512
ab2019b0d2e8bbf423868b825279305319508cece32f51ceebbdfd1e3bf58fad9b6264628dbe4e234541fc683eaeaf9df40927b86656fd979f5476b430b07537

Download Submit
C:\Users\Admin\Downloads\DisconnectUpdate.dwg.rokku

Filesize
368KB

MD5
2adfd2f14b430a03c048daf9d4027b21

SHA1
0614342dafce3045b59d912f9bbd5f5682470abe

SHA256
05f01be815dcd16fcf8fc0af5f571b8c3d3179786f2b0cac77b06c6c2ee98b0e

SHA512
91ef84a69ee25d584ac5e0e6061c27cffc91618259fad7a1301e458ea02d3e8ee74f8f61dfe5a3dcfe768fa9fba2ffca0f5607315dd4e6a12ddbb02c6c80c5a2

Download Submit
C:\Users\Admin\Downloads\InitializeBlock.wma.rokku

Filesize
521KB

MD5
e47573b41827f0a5ea553fdccc2f2778

SHA1
b7ec7636290974e3e05526e6fa730afa1f80913c

SHA256
4590c8574fa940a2f499c925f65f3e552141c07f5efe0c33e1d28173ed12acc5

SHA512
9afc179932c725212534bf2eca6ff1e33ddc95e99d32e7e937ec90b5af60b7f0b7af5af9b6e1ed81bc904ece7d456f90ea4f501dcc269669f10465c58f251386

Download Submit
C:\Users\Admin\Downloads\PetrWrap

Filesize
473KB

MD5
17c25c8a7c141195ee887de905f33d7b

SHA1
7fa8079e8dca773574d01839efc623d3cd8e6a47

SHA256
e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

SHA512
de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 175098.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 247389.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 286475.crdownload

Filesize
17KB

MD5
4784e42c3b15d1a141a5e0c8abc1205c

SHA1
48c958deba25a4763ef244ac87e87983c6534179

SHA256
9d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c

SHA512
d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 315084.crdownload

Filesize
48KB

MD5
86a3a3ce16360e01933d71d0bf1f2c37

SHA1
af54089e3601c742d523b507b3a0793c2b6e60be

SHA256
2ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd

SHA512
65a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 429042.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 471419.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 495414.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509915.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 560967.crdownload

Filesize
107KB

MD5
9890349fe3c68f5923b29347bba021a4

SHA1
fa080a50486b205b75833a6b5c9505abb1e3b4df

SHA256
068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058

SHA512
aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 755769.crdownload

Filesize
666KB

MD5
97512f4617019c907cd0f88193039e7c

SHA1
24cfa261ee30f697e7d1e2215eee1c21eebf4579

SHA256
438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

SHA512
cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 755769.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 829777.crdownload

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 9895.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.HTML

Filesize
1KB

MD5
c784d96ca311302c6f2f8f0bee8c725b

SHA1
dc68b518ce0eef4f519f9127769e3e3fa8edce46

SHA256
a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

SHA512
f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Filesize
330B

MD5
04b892b779d04f3a906fde1a904d98bb

SHA1
1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

SHA256
eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

SHA512
e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

Download Submit
\??\pipe\LOCAL\crashpad_3164_ERUPGGMSDJUNJLON

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1316-2658-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/1316-2667-0x0000000073250000-0x000000007326C000-memory.dmp

Filesize
112KB

Download
memory/1316-2654-0x0000000073030000-0x00000000730B2000-memory.dmp

Filesize
520KB

Download
memory/1316-2656-0x00000000727A0000-0x0000000072822000-memory.dmp

Filesize
520KB

Download
memory/1316-2673-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/1316-2665-0x00000000008C0000-0x0000000000BBE000-memory.dmp

Filesize
3.0MB

Download
memory/1316-2666-0x0000000073030000-0x00000000730B2000-memory.dmp

Filesize
520KB

Download
memory/1316-2657-0x0000000073220000-0x0000000073242000-memory.dmp

Filesize
136KB

Download
memory/1316-2668-0x00000000727A0000-0x0000000072822000-memory.dmp

Filesize
520KB

Download
memory/1316-2669-0x0000000072720000-0x0000000072797000-memory.dmp

Filesize
476KB

Download
memory/1316-2671-0x0000000072500000-0x000000007271C000-memory.dmp

Filesize
2.1MB

Download
memory/1316-2670-0x0000000073220000-0x0000000073242000-memory.dmp

Filesize
136KB

Download
memory/1316-2655-0x0000000072500000-0x000000007271C000-memory.dmp

Filesize
2.1MB

Download
memory/2944-1024-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4240-3469-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/4240-3473-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/4300-815-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4300-814-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4300-811-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4300-810-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5724-759-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/5724-528-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/5844-2922-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/5844-2923-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/5844-2921-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

Filesize
624KB

Download
memory/5844-2925-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/5844-2924-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/5844-2920-0x0000000000100000-0x0000000000172000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads