wannacry | hxxp://waterfox[.]net

Analysis

max time kernel
327s
max time network
327s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-12-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://waterfox.net

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2AB9.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2ACF.tmp	WannaCry.EXE

Executes dropped EXE 15 IoCs

pid	Process
2836	WannaCry.EXE
836	taskdl.exe
4668	@[email protected]
2236	@[email protected]
2072	taskhsvc.exe
4888	@[email protected]
1264	taskdl.exe
2032	taskse.exe
2004	@[email protected]
3732	taskdl.exe
952	taskse.exe
2208	@[email protected]
5616	taskdl.exe
5612	taskse.exe
5632	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3944	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aptiorhqd785 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
45	raw.githubusercontent.com
1	camo.githubusercontent.com
4	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133797082465909952"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1992	reg.exe

NTFS ADS 15 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (4).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (6).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (12).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (3).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (7).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (10).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (11).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\smb-d1674sc2.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (2).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (8).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (9).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (5).zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1012	Winword.exe
1012	Winword.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4252	msedge.exe
4252	msedge.exe
4016	msedge.exe
4016	msedge.exe
4228	msedge.exe
4228	msedge.exe
1480	identity_helper.exe
1480	identity_helper.exe
4668	msedge.exe
4668	msedge.exe
652	msedge.exe
652	msedge.exe
4788	msedge.exe
4788	msedge.exe
3004	msedge.exe
3004	msedge.exe
3060	msedge.exe
3060	msedge.exe
3308	msedge.exe
3308	msedge.exe
1336	msedge.exe
1336	msedge.exe
2252	msedge.exe
2252	msedge.exe
4100	msedge.exe
4100	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
2808	msedge.exe
1664	msedge.exe
1664	msedge.exe
2160	msedge.exe
2160	msedge.exe
4648	msedge.exe
4648	msedge.exe
2104	msedge.exe
2104	msedge.exe
1860	msedge.exe
1860	msedge.exe
2704	msedge.exe
2704	msedge.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
2072	taskhsvc.exe
1136	chrome.exe
1136	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4576	OpenWith.exe
4888	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe
Token: 35	988	WMIC.exe
Token: 36	988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe
Token: SeManageVolumePrivilege	988	WMIC.exe
Token: 33	988	WMIC.exe
Token: 34	988	WMIC.exe
Token: 35	988	WMIC.exe
Token: 36	988	WMIC.exe
Token: SeBackupPrivilege	2880	vssvc.exe
Token: SeRestorePrivilege	2880	vssvc.exe
Token: SeAuditPrivilege	2880	vssvc.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	952	taskse.exe
Token: SeTcbPrivilege	952	taskse.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeShutdownPrivilege	1136	chrome.exe
Token: SeCreatePagefilePrivilege	1136	chrome.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeTcbPrivilege	5612	taskse.exe
Token: SeTcbPrivilege	5612	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe
1136	chrome.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
4668	@[email protected]
4668	@[email protected]
2236	@[email protected]
2236	@[email protected]
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
4576	OpenWith.exe
1012	Winword.exe
1012	Winword.exe
1012	Winword.exe
1012	Winword.exe
1012	Winword.exe
1012	Winword.exe
4888	@[email protected]
4888	@[email protected]
2004	@[email protected]
2208	@[email protected]
2596	firefox.exe
5632	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3116	4016	msedge.exe	77
PID 4016 wrote to memory of 3116	4016	msedge.exe	77
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4896	4016	msedge.exe	78
PID 4016 wrote to memory of 4252	4016	msedge.exe	79
PID 4016 wrote to memory of 4252	4016	msedge.exe	79
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80
PID 4016 wrote to memory of 3040	4016	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1568	attrib.exe
1608	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://waterfox.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa04453cb8,0x7ffa04453cc8,0x7ffa04453cd8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7288 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7344 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7388 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7624 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1644 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4257511308367753891,14125293959672432724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:2588
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1568
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3944
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 247071735234570.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1608
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4668
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1264
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "aptiorhqd785" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "aptiorhqd785" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1992
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2208
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5616
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5612
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4576
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\@[email protected]"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\Desktop\EnterPublish.mp2v
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa03d4cc40,0x7ffa03d4cc4c,0x7ffa03d4cc58
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,3982121110615106207,14367368859858012852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:1860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2712 -parentBuildID 20240401114208 -prefsHandle 2640 -prefMapHandle 2632 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b367d36-d47d-47bc-b252-20adac9c18d6} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" gpu
    3⤵
    PID:4628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2120 -parentBuildID 20240401114208 -prefsHandle 2124 -prefMapHandle 2168 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7167f600-0f13-45c6-aa25-f61aa4ca9e49} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" socket
    3⤵
    - Checks processor information in registry
    PID:2168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3512 -childID 1 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1376 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15c649c4-60a9-4748-85ab-fe625e03ef8e} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4016 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 2360 -prefsLen 22575 -prefMapSize 243020 -jsInitHandle 1376 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6dd5619-67e5-43b8-b380-b51cc1c3302f} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3876 -childID 3 -isForBrowser -prefsHandle 4528 -prefMapHandle 4524 -prefsLen 29003 -prefMapSize 243020 -jsInitHandle 1376 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b19f5373-52e8-449d-abf8-583dc8352444} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" tab
    3⤵
    PID:4252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5104 -prefMapHandle 5100 -prefsLen 29790 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da038b96-24b8-466b-ad45-05eff947e55d} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" utility
    3⤵
    - Checks processor information in registry
    PID:5644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -parentBuildID 20240401114208 -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 34289 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68de1bc6-e62a-4cf9-9f2f-47a2a35544be} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" rdd
    3⤵
    PID:6072

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
520c075f9bbc275056793c6f0c8e0358

SHA1
137edfdc0ec3c24e09007e25948895cea933bbfe

SHA256
a5ce8bbe42a32e5a35658cd62188565923251c928b26efef1c84929d4c7e6c1a

SHA512
df5539ab3adad246c937920f72f6387c861ce65c1d00209ea067fed7c568e9a4701a83f92e9ddeb8a627e4bcee020dd511eb376df913a18af551172b9afe1146

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d64525d36766511a5440ec41e8709e5b

SHA1
099fe970ca083b3a0b826864961bfe5cba62f9ba

SHA256
38183c3e1deb059c79207f67842efdbd34a3b34d7e3a07aeab25ce1db62b4720

SHA512
c87bb0ac9e18efe419e1923394ceba1eb8adee3ac23594377607080f73cfd2f77aa6942bdddcd00c7dd52b5a400e6901095e8690f50a1f5ed3e9433a97177626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0848a8e92a580bbad9e355621f1290d8

SHA1
68c8cbc590feb25e5e03994abfc8c61fd19bcfa6

SHA256
1c81a0b980283d5743157df69bfc35a9570f6ffc730737fb056675d701fb5395

SHA512
23c25459be2d70c8a5d7c2d84bd66ed25011dbef61d262ddae6d9cbfebc33e1db7ee5bdacb5ffa883c9e23a2fcf664763752a1ecc680a7d076a9d3c06a9c038a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edf5d72fdfcba8adf8d9c2bcdcf6e3b8

SHA1
7d954bce6dcd2c6e14bdbdddf0f49738e899adb0

SHA256
8367413f0c53f27105543e339956a3a5dd3eca34938f6bd75f09c7eef6bf5749

SHA512
464628bbf1826fa84b881b3500ef1b3da4b9b8de6334c663325d53c25db81c5ee24614cd4dd948f40a61fb1609fd45176e10705898e6218cc8d54bde416f938d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
13cd27b65f12a51346b89773cf2ebd9d

SHA1
301c81493893c00a088e1a49a7d0dd206e89d51a

SHA256
69b3f450c8965f42f1d888109da205adac5125dc78a43f81015fed8658ed35ae

SHA512
9b10db19a1fbd0e721a87812c4fe672363e7c3fc552a90c2f0188da341c409b68e285b39b242f6a879281ab7d71917ea76c6b048f4db693c079bca696740b504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
008506682ff339d196efaf46d9f655af

SHA1
e45be1c2da6b54d490cb2604b9ef09864c59d9ff

SHA256
92936f59f1d08f365bb28d1f222c0b9179c85ef4ae9029a97d915f233e414a7b

SHA512
8ec06ae76663edcc1eb09c5ada3d83cce85726e03a05c40b83d683cf5c32aa5e5b100c06a4e87b2637d83997767e63f4d6cb959c3543f1bce3660c477e8be8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
38KB

MD5
c7b82a286eac39164c0726b1749636f1

SHA1
dd949addbfa87f92c1692744b44441d60b52226d

SHA256
8bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0

SHA512
be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
20KB

MD5
0b17fd0bdcec9ca5b4ed99ccf5747f50

SHA1
003930a2232e9e12d2ca83e83570e0ffd3b7c94e

SHA256
c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d

SHA512
49c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
37KB

MD5
56690d717897cfa9977a6d3e1e2c9979

SHA1
f46c07526baaf297c664edc59ed4993a6759a4a3

SHA256
7c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e

SHA512
782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
26KB

MD5
73fc3bb55f1d713d2ee7dcbe4286c9e2

SHA1
b0042453afe2410b9439a5e7be24a64e09cf2efa

SHA256
60b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f

SHA512
d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
58KB

MD5
6c1e6f2d0367bebbd99c912e7304cc02

SHA1
698744e064572af2e974709e903c528649bbaf1d

SHA256
d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8

SHA512
ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
39KB

MD5
a2a3a58ca076236fbe0493808953292a

SHA1
b77b46e29456d5b2e67687038bd9d15714717cda

SHA256
36302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426

SHA512
94d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
105KB

MD5
b8b23ac46d525ba307835e6e99e7db78

SHA1
26935a49afb51e235375deb9b20ce2e23ca2134c

SHA256
6934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6

SHA512
205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
16KB

MD5
5615a54ce197eef0d5acc920e829f66f

SHA1
7497dded1782987092e50cada10204af8b3b5869

SHA256
b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26

SHA512
216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
65KB

MD5
0c3ecdd95c2f73c55c7e223bdd76a64a

SHA1
e2cfcf25c29ac990426ef168678f3718d9bebd0e

SHA256
f6b14fb731c0874a973319ecb9f91d7c4bb4876fb2bc5c3c78717ed64c6beee5

SHA512
65bed963b5fe8b8ab24b154f891a9aabb2f44dc7c4ba39574dfd472432f52a65049d03013099c0d7db58d6b79c793178178865829e7c7c076dc774d2930899fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
271ee9baaeb948348f147d46ded8930a

SHA1
927194638f78a0c4cec5cad00b4869adfa15c1e3

SHA256
f3b6311b2ea6292854a71733acdcc38cb7d780feb7547f46c43d146da1c850ce

SHA512
d6068066737f185bf74d02f7e2bd54d86ade30d3aeaa4e1f17bbe806a69db548b7444a4973a3a5ede961c1ee24f29f0bcd28dc43651cef136c5decbbe7e59042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a64a03d6e9ad52097d46c7c223ad5b35

SHA1
c143fd4a9138ef5a95c474c14183af026d31707e

SHA256
30038dd61f1e6c2918ae5b7acef65417f193852f3c1cd1591b7cd0ffe21500d9

SHA512
cb3021052c710fb4b210c1df153834a45a0c049da0bf805e518dd2180a280ed9b3c18cc0d9e2bbbdc23cd0da7bb098fbc7a7a3769152380703d68028e224be3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bdcbc7375b1fcbc1c00e0862371516ed

SHA1
df7f24bf2735d03fc2361c2776b6af86e54c934a

SHA256
0de27f55ae1f62d8e3ca6b8e17e633564d4f661686acc71da5427aa1c552b038

SHA512
5054544a11ee52ca0d09dc22a4596f1d8cfe9b91f25527c58d759f0946410f47117127f965dfb286a262787e1dc7ddab293fa7ddba1b8b4c3d33f7de7b9589f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
932B

MD5
aac20623a3d9f4062a91adc68305c449

SHA1
55b107353aad09a0129cac5307177a54d2645f15

SHA256
dcbe97f385d659256d4ada618455213262ee6099a707db2b747bcdae902d7877

SHA512
d7ca3c25ac5b779ffe2e836fad6033d5169b67b3da020e3f712f7c8ef17fe70af2a517e34b9ec4c59f6d59549562a562d28881574c94d10b9ab5d6a9a86c3749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea3b9b6f8ef199afe4a8ed2116e1b342

SHA1
f5d267fd8e0c413e237e465ea7750ae8b978877d

SHA256
de5607291accce7e467915ea09d58077188654ad53f6fb73c44d84f4fffae5dc

SHA512
69e3baaa4720d7d0ce3da212f61b649f2bb0fb5bc4b8b4290bc97d5195a5b14bcfe8758e4d7a61ecbc474974ac5deb8c6ac93283c74fbb41ae4dc8a90f488aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2fa01c533696e1b471dd6a614c009526

SHA1
a165b8581f6b6e267a93372f42260c3151bf3498

SHA256
bc8dea99c09288e8253d5d576a53b86526df2af6f14b14f0678a7b74dfd79459

SHA512
892abafc80691be6922f24c9cd4c7a67b38a6e764b0689240c179d17ec53f00e123db99a7724416446af996c8e9d38e475aa63c5075001eb3f605eed56f49a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a1a0cdab2ec19ab25b4467613a33324

SHA1
f852501a294e358924fe03b33885898e25485cb6

SHA256
33e34932f3ea5994f28a6799ece7c21fc1c1bfacae8ee1436eb67dd4866f7f8e

SHA512
4a92f4363ae1754e47b6c79f90bdd9a0279e5325cdf90ac0ddf961a6186e76b84127094271cf83e5f93c563a21d84c1fcccd2cd59f3a2e55392cbf5145f72676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7380dc72a0e1b3863fbc467a3b323208

SHA1
183cc260454b545dee933bdfe6bcf10ff8359d1c

SHA256
741e2e1f494634423c26a70a049b39217a2472ac4c6a59304749fd56bc44de78

SHA512
b7c90113d6719c0effe570c4be28c997cbf0c804c0a5ae1a9876f2b993502a8402ccd4ad18a659b51ad0c93a8194b28486a42d58a360c13cf8e11559eb8437b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
67d87c392a63d79efff3020a01399d93

SHA1
5119385ce5dd54ef0ebe2555f823756e291328b5

SHA256
793122aa9a061ebb6d9ccfb62da51fa021fc9c0ba629f156f60a1c275bb43fb7

SHA512
c51e71b95c977912a5413e316d54f32591fd86deda811435361b9a2440f6d92ec11e92c01adba83f3cd5fe98030f361b83c403db869a74ba79b9602a981ff452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2a00f60d398ecb0b5fa9e86d739c2ea2

SHA1
9512ee31ea1ea2bd8749499558cce4535eac30be

SHA256
b856e171c48befcd149be68d42d74981e2a46ca8eb3c9519d99c6bfecd42db38

SHA512
e7eba69749275245123096017fefd356879748299e7a63d43abc983a23bcfc828eecd66ed33c9309758328d92a1146181e05059d7a76b9b8ed76c0e66852bd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ab358b6502748682e329ae7c90d26d4a

SHA1
8abd7591dda79adc3e264e3ce8f8b64e984b4165

SHA256
a504021189afabc813172d78b1f555ec8ae933d9445583c9978a372d67618815

SHA512
f6d3d2a79abee3bc41f677ac4e48b7f4934977b6d5e2fe7e92600674deb1761b4546a3a324e63902fe1d46593bc3f271ed3af278770cb0495e50137e3a4d9a3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ab66d9a09c3561afae0be659956a3f5

SHA1
4ed10ddc69aa8d71f7ab50148f90d55ab0469876

SHA256
1be0cd9d3ae97ab54ebcc1bb23c74b88f2827a3cf5f559f0159e9d5d262512a8

SHA512
5009e04b1c594cb6a9c359087a49f323a73a9adb43a62ce504b066163182959b765f4d72d6546e0821fa80eb20e34bc7e11e3556b1e6d26460f9f96f1629e8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1378fd13f0021a52fd556d6435b422ef

SHA1
f3d3bffa5c1165ce99aef29828329fed55f33678

SHA256
c4af10d217a59d097750744d324f11b9f8f0437e3b26d5d6903fce307182a660

SHA512
b49ac47d0323637506362b11f368f914c2a5eaeb9371db6ee7ad84c4fa642a807515c1c4c5d37a111f91cbbcebe19d9118b1587f63aad44d6f26f64d6fd0f1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49f69d326b8e6eacf4e784b17e029254

SHA1
7801a0a00eebd9db64279f9a1f8e4553a6295708

SHA256
efc693b407218a32897d7bcadf53c95cf9363ffae95a4934c69ca6d1d310e7b7

SHA512
53c537ff52735d8b170449a13f1f7280181979139b217f1236ade4742dbcefaaee6150244ad44ed1073afddaa019ead712acee7a56e0e8fdc08fc0b1cc50b671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47c50202960cf3bfc9efbf288f62434f

SHA1
72815ba3ee48029736bfa15d7ee4b7670395edf3

SHA256
889b43b1caf16c24bd323a736c7079c3cf6ba0d45fa038cc7b98f94e4e176860

SHA512
bcc5195a6979677484b4b264b733b6a8930bda1019f465368b6839f630301879ede24362b7b1b3bd2cca28fde75e4a2f3e541722a2ab639eeff8b6e26b001210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2047ece35164613f31aab0aadc63481e

SHA1
5d40265f426ad0859dee31625902d0737acd3df6

SHA256
3cfb58b11c502974ecd6dedde5e0fafbc87143143fb7ffbb1c33112201ebdb6c

SHA512
d441af48c1ab35cf6d64a5b27582ccd25d582c50e001462ae8cdc323e7cd7d8ca763cddc0f42243645de08305101df43d79c09ba1aafa51ba8bce4d43d6f4d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9353863c85aed51bb38a90d70b82475

SHA1
a6b89cf766ee241400e54c5535886a0f47058d20

SHA256
8a4c6770a9c836dd72548f8d1686df213d0d15d01848075df66ff0812da0e900

SHA512
58db689adfe240c6e8c1d4cda0048a63710178e114028d45206bcf96532d8d47d0ae0e58c6cfe183db3f6b3cf16f40e9eef7c4cbe703c1a814ba380556ad0f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
021e4f74c21e76702c4974ccabd242d4

SHA1
b4325c276e94e021c2232fbb62cc2dff1d5b9e90

SHA256
3c27b92e6f7b4f58d4e2da7cdfd7bf6b327cb929c70a7776fcd040895e0b5193

SHA512
c5d79f107ccfdff11807374ebcaaac4e653f59c758e4fef2a3f0f9e994ea6325baf3600993f688277bbff5fd5039a59345a73829ec76b2ffb256ff4a6c0c69b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
027ebc010205d79d4e823712d9797c9d

SHA1
ee2100b256b49f201c2b6fdf79462f18fe261abd

SHA256
24137060161bd80017b3bdc12921f43e7d997371913f06d1702f95801d2a48bb

SHA512
8f816ea4ea3501132aded0675e259fb5f1ecf036f92bcada70fa98923ed9ceafc046f2be792e09cae5c9e05d55767e7742a3334912a9db56064f80544e58d285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec81cf28f6bae6e9c34e2551112b7801

SHA1
13ba3ca3df0ae1b0d086bf71f86858359edf05cd

SHA256
8b4f1a8e5ece66cdd06be71a974909e51630be6d8b34c43107b469b695d35863

SHA512
16fa86c9b00d7cc2e10ed52c43009dd50cc2bb9ca32f29daab5f5b8a227398728e274a71b42e3fcd1f2b9994bedd57b1319617de094030d46254c3c1791ecded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03e316546631b00487afeee8d876f6cc

SHA1
75a3315209fa8da99bcddf0ac81c65aae65f9af2

SHA256
cb501b8f48a088363c9e367b48ad7b6ed2a9fdd3c773de70bb0ab833c92161e1

SHA512
c89825cdf76e6195b2339f9a63fd0a9574e79d0b49cbd3d3fd863614ef99aa7dfa26c55f0326fa2671fe5b7d2a3fdbfc3f1ce49142b2f99a72aab2c15d175ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f64d2aa0305dfe3c8ae09d49f2e7078f

SHA1
53f11496bc5a7599cd9995a59ccd4e6862e1c8c0

SHA256
9a23ebb1cdecb401910644c435531843c4ce64854732b2b8f48d621bbc6fe592

SHA512
33ad208203d9999d02094991102e5c155c5f3f417306425f15286e7517ad5bca759ad44173e404e80795e762886998578f3b7c8845d7d9357003db340197923d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
869798ba79f7110f54fdd4a0fd376966

SHA1
281f4be06fae24bf6b2d42049b646ab06aa92270

SHA256
3c6d80fcf9fea7828892f3bc0ad6f9e56d3e840eaff297aa0b390a69f0521ab1

SHA512
7586763448fb15cd746b58785e958cd0b64ace392fa901e7dd1e0b2b7d418f24047ee597124f154d5c6dd5302fcad9c6a9dc5eaa5ac2c70ea64a213d2a54d707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c3956c147525f351ae44861cbbd183a8

SHA1
9d70cd322f23b2f67a074534e471e8ed27f6c458

SHA256
eeecb2727b8ea6817d71621289fed9d381296ac7f4717651f8fe7125965fb039

SHA512
28a5768bba4bc155c19c3ff08208426e7527e5fc1af770c1149d4d5a20cb595fac29959d22ef60cb51fb9e39614f90e3cc3d382eb44c1e12c1af4e9c643f29da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ae3fbbc8407ad65f405a68a40ca8571

SHA1
cf53f0ee0299ca583526adcc9f794489a858e545

SHA256
93d3d06ace218e62b37961065bae18d8e340815b241dfce0daccc96689410e88

SHA512
b185e8219ef72597fc8912c15f4d6fe3d2c62f99de418b8e257c8c6e4ed9a196846e23128840ffb748f787b8558ada3098fd36ecc451ad17cd98419699f5a90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
087620aed097f41252a8e118d2d21cd0

SHA1
37d554a9a76e06522bca84e277a95ccbe76995a8

SHA256
a7cf9c935f7a7aabf1b32c82f45af2252d40733fe02b12396418b50c5deb31e2

SHA512
111360e8ff308e84be0e0ead2ba7c025fb1ce819c2e081fd81c3532765e9ddf88f04f103e99514725e50b1c789d0f828649bab7dd2cd5bf3c400f5c60ae9be89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e340a84ed047d01b8870c4035d3d1f5d

SHA1
d4f035690724587ee371b11e3ed5a85d88ef56fd

SHA256
bad2a87bbd1b322da70c0233e3673ff51316befda2f1ca6debea025efc849736

SHA512
1ed403b5dad039bb57b38782ad21ba1e4c82d62835fa133907bc1a0934b51c758fb29af2357155801550199fc196c1359837d30edbd328aa2b0327cd54b63b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
17c4f4777f274d566aacd9e493dfd8c0

SHA1
3abd938269f13f6da7f96e26149b668add962150

SHA256
dbb0ad748129579de6fdbdba0b28791fbbe68bb7cafab9d3e11a25da4848f927

SHA512
844dac83b4875e8ffd6b65fd232ea42a375dbfbe3276477226a8ff5088a33f1aed06f8f69c37f2322929af01222c72e5a1e7fd87e41c72408a073d1b8aa09456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1f7ae0df1cf047617a27ccc923b8562e

SHA1
fa5094f428ddfee910ad22c911517f194174a0bc

SHA256
f78bb2d911d40ae85bc28f7b86ed06e770d6609ba6e738d1f1516c6f1ac6f81b

SHA512
0119bad30ad8a85080aeaed004be9b7b7de630a5d08a9997d633c0442824c78cd39e71825bca14428c0741370d36591d04ef1b1928a5fcd3115182dfe5580a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eac71fa8576272651d50106ffbd7dd60

SHA1
535e817fcc81ace20c90b0e77b75d2579840dbae

SHA256
62a6e01035b110c48b5aab2d4b10306159add17c6087faaaec4a1afaeb5aeab7

SHA512
047be345d0e5a0a966058659832bb35f5f4401b2b93f099a5fc4401a4cb014047e3518a2d79a5e96abb58907a2325edc457bcd56be74a826ca5958bd4f8ae862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1531dacc6ee6c99694aa93f00e4a660

SHA1
1bed0960de6ce4a1650ccac5d77cc90788d8fbe0

SHA256
f4149561cef21b7a2689765c49929354747e42c16d49db284f161f03193dc4ea

SHA512
c5025915d2f97af1503059c506ac5520417b1dceffbe54a576277484767388e452e656cbf71c8faefa96f5c8f3b893f1ab7bebb776d317b36e82c91359f38a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580858.TMP

Filesize
370B

MD5
c67ead9d67d0fa7cc69536df28fdab96

SHA1
2d38ef4a9c05c1bedc61cc0e4ebf6922c2e7de9f

SHA256
d3f540335bb52d3a29eb9d3e74af4a68dbdb04fe2fb28d21cf68e0d77e401067

SHA512
35d028e231dfcaf2f2465ad4cd23b157300a4b6160f17a1a205db5da23f543a4be14407f35b955f27efe4f59a7efb7dc587a80055b820583066c4953de912b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dba3dd0589a8fdded1a47ff1e7efc75b

SHA1
c29af434e4e5b27687411c9f83fcc669afa91847

SHA256
d780dd2ecc930fda6d0cadbd7a7d74fb0da3b590917f18ad1dff5764b7dfc32b

SHA512
441d580fa8cc9f37e3ed0edddca34a52e41a443a38033c298797bf7928d82fe7f6e354862efe2693c663f81bc654f735584afc9ab61ffea596c8f5ec866748b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6b1473f99cc9e29dc23d8f1a6baa15e9

SHA1
5869d6fdb99de2e910e9d49bb6ff2faf9878fb97

SHA256
804fea70a4adb67efe2d5b0a6b87d7ce0cb46db76a44a7703c22f8588e1b2e24

SHA512
ee2ddaba74b2a723cb20206fab8cacc919c88223986ea4a556104e86f6e8b2ad40adae79245681c6ac06b80be59c08b93a9bfebab4ea95e57472516373da9220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08815316917c17ed83c1ec43b45a970a

SHA1
141234abc2340a1b4c239c2645503fe9ee72639b

SHA256
094b37fd9f0395a478c871db32730e8c380ca13c7fe134f7c49ef20b5189ead4

SHA512
b293c77f5d44218b076a731eac96b49fcf593feadc2243365c688ba7530ed9395835f72f3d30e5706038ca92001225904a9b6f609f39614330546fd0d2220c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e42ee018b3f502bf86a6f2e68b79683e

SHA1
22915dc5658b15b6d9416eaaf9244e7887a4febd

SHA256
7966b0fbbcd8e50c67dc8f1dd42eaf40dd89381af8a7ae462a1fc92d454ea0d3

SHA512
1c80e1ebf863ce94fd98ac7ea778be2d23682903fa250e338e84558e79543cb232921dbe8db7135cff527efe58ec64335d5d45e5c693e51ec4f566e9544ad5ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\AlternateServices.bin

Filesize
6KB

MD5
29c678a638035a0047a952ffe76fdfb6

SHA1
afcfae26a0b4b29c02e4ac089480a3bd2ee5dc79

SHA256
efceca6b3459fa4ff97b7e7d5ae5081bf884ceccff67d42b96e3a10849be80d0

SHA512
cea500e0997833bddbed2cd842c8772c69e6ccae9c98c9068f15a93b3c3bbf704b01c4dbf04c20e325e358a78b35c45083bd7a468ecca96999188f88fbbe6fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
13e7336d3b761414e076cbe0070f1252

SHA1
e2a357c1f4bafdc609829247c17dcd3bbfd40292

SHA256
fb8387fc373c64310b8ba24775848226835814847891bee7c8f8a25d218d9838

SHA512
9a204f93661c3e4f7e880a44f3b6153370ce7901381feac2a620b5b64a7a5dc4b13ee98b3476489c9e1b31b82552e7ddad5c3d73cf5ac3047810b0f9f3800ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
06ca4cb089da786e64af630b3cc5d564

SHA1
bdaa0e5bff35d59ed4a850978a6e45a1781e0663

SHA256
ffafaed2cdcb79fceb92599f158a1278c042fd1b4b9814e1dbb4625ee4c25592

SHA512
e583659c4306d20738d305f0fd9edbba08cfc46892abd86796c6e4cef9ab755286dfa51960992f1f6ecd5da463d09446b7dd46eb78feec1f992e98229b3f80d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\0a2d732a-0ec3-47cc-86d4-26c7d5613cf8

Filesize
23KB

MD5
63e94687b48d1f1388fd8486e7a9b78d

SHA1
0b3d2dc2202c5862c3c691c15344c1c3105da181

SHA256
5859d28989fdf57f01a4ec1b44acd5a9d3ee7cb52f33e73238792eff35860efe

SHA512
2edaaf30126bac2dc87ef28e62b2657da8f258e3bdbdd71b711876a326ebc3ac01a29dbd14ca920f9940fefa2dde623ebf1a035a2fbe2e19f75ca2fa00f33ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\1887dbe7-b7c7-4f85-8c15-b383637cb7dd

Filesize
671B

MD5
cdb4e12427fa7c4184ff537c22f9fef9

SHA1
0c37ed2d004eaf685541f8649e8d0f582d13dc7d

SHA256
888967c1d2da1eb490bf57cae372668b9d5369e428eca30c7bf10f7001e5800f

SHA512
f2e62cee5dfc3c86e31c19f0bb4765f028927bf8969016ffde626d33be4898f12b7ac3e6998eae390e8975876072bd03228b8be7d565bed82e0c90d7d7f57e9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\datareporting\glean\pending_pings\a71db631-3f1e-44da-8f12-f66f00435e3f

Filesize
982B

MD5
5869bcc03fca1bfd2a5e23692458adfe

SHA1
e67687733cf84167816b311149b7844878e42647

SHA256
d61513cdb10151c09b88a8809fac54ab2c8c1b0c318e2fa8212156d41a13fc60

SHA512
e9d840fad47d6121159cd3963ca6c0381559027466678716395da401983e6444135b225aa557f9b1eaf2b34b8b6130bdd5ce39539e861619e05dcf9097e25286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs-1.js

Filesize
9KB

MD5
25462544841d39ecb66237dc1bf866df

SHA1
4ee9c781cdd75762e07c1b834b79a691c863b37f

SHA256
c0c82f5c9236fc4324586c34a05090e703e83019b18a5310df295811adc8998b

SHA512
28875f3862698cc90866518087955660ac72f63dee19ba4cc411395296b3dac9616b82b7a72da890fc88bbb961f895f8b9e086195cf95b7f12e63afbfab96c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\prefs.js

Filesize
1KB

MD5
01ba1e84f2ebccd1fd431d992e534793

SHA1
bba2106382f2b8aa59ad9d1c8f4a671c564b5bae

SHA256
27f89a8817f1ddd14bd314663d6aa1e9a86e36c63d08b0006ac42edd045df435

SHA512
96cb82b92f0c6a3ab9fddefbc11d109aaf19f7a98fedcc87fde0bb59b2287ea3428e1fc820416fe0e55cf9695d0e50a9b367364c9d25760f7730c130fb31375f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jj59r4xg.default-release\sessionCheckpoints.json

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151 (2).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip

Filesize
1.4MB

MD5
473eca3ac6347266138667622d78ea18

SHA1
82c5eec858e837d89094ce0025040c9db254fbc1

SHA256
fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053

SHA512
bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf

Download Submit
C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\smb-d1674sc2.zip

Filesize
626KB

MD5
f398754395031016fad88823e457fa0c

SHA1
df7d92b11f411bba476effdb949f9b913de88563

SHA256
5104a641086328185e0d41db0dffc8f16a68e06c459d77c377e510c4560c2362

SHA512
48aaa85f4a8d1d40a0b6e48c4b51a65313ccba23c709ec36d3637768db503d1f5f7b34e41640dacc603c770920ba582af5bc6a1756aa567b6cfef1f0c9cc8e65

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1012-3030-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3074-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3032-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3034-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3075-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3036-0x00007FF9D0840000-0x00007FF9D0850000-memory.dmp

Filesize
64KB

Download
memory/1012-3076-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3033-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3031-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/1012-3035-0x00007FF9D0840000-0x00007FF9D0850000-memory.dmp

Filesize
64KB

Download
memory/1012-3077-0x00007FF9D3270000-0x00007FF9D3280000-memory.dmp

Filesize
64KB

Download
memory/2072-3087-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3041-0x0000000073870000-0x000000007388C000-memory.dmp

Filesize
112KB

Download
memory/2072-3105-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3111-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3160-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3042-0x00000000737E0000-0x0000000073862000-memory.dmp

Filesize
520KB

Download
memory/2072-3098-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3093-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3040-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3086-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3080-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3104-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3046-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3043-0x0000000073750000-0x00000000737D2000-memory.dmp

Filesize
520KB

Download
memory/2072-3024-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2072-3025-0x0000000073750000-0x00000000737D2000-memory.dmp

Filesize
520KB

Download
memory/2072-3026-0x0000000073720000-0x0000000073742000-memory.dmp

Filesize
136KB

Download
memory/2072-3027-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3023-0x00000000737E0000-0x0000000073862000-memory.dmp

Filesize
520KB

Download
memory/2072-3044-0x0000000073720000-0x0000000073742000-memory.dmp

Filesize
136KB

Download
memory/2072-3703-0x0000000000E90000-0x000000000118E000-memory.dmp

Filesize
3.0MB

Download
memory/2072-3045-0x00000000736A0000-0x0000000073717000-memory.dmp

Filesize
476KB

Download
memory/2072-3166-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/2836-1560-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download