Analysis
-
max time kernel
1714s -
max time network
1743s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
Dual_Keres_Prime.html
Resource
win10v2004-20240704-en
Errors
General
-
Target
Dual_Keres_Prime.html
-
Size
780KB
-
MD5
bce9179b0a24eae8fddb8ff9d6a0e210
-
SHA1
74b17a58bc1847c42ada876191f7435fe4317ff9
-
SHA256
08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1
-
SHA512
57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a
-
SSDEEP
3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG
Malware Config
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe" Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Contacts a large (1273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 6728 netsh.exe 4792 netsh.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3BE9.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3BF0.tmp WannaCry.EXE File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe -
Executes dropped EXE 64 IoCs
pid Process 3312 WannaCry.EXE 3484 taskdl.exe 4980 WannaCry.EXE 1392 @[email protected] 1856 @[email protected] 3292 taskhsvc.exe 4364 @[email protected] 4388 taskdl.exe 4792 taskse.exe 3972 @[email protected] 4064 taskdl.exe 4824 taskse.exe 3588 @[email protected] 1420 taskdl.exe 4888 taskse.exe 3496 @[email protected] 4456 taskse.exe 1948 @[email protected] 3172 taskdl.exe 2352 taskse.exe 5068 @[email protected] 440 taskdl.exe 3916 @[email protected] 4284 taskse.exe 2956 @[email protected] 2600 taskdl.exe 2052 taskse.exe 4792 @[email protected] 3692 taskdl.exe 400 taskse.exe 4800 @[email protected] 3748 taskdl.exe 1412 taskse.exe 468 @[email protected] 4740 taskdl.exe 5932 taskse.exe 5940 @[email protected] 5984 taskdl.exe 4580 taskse.exe 5636 @[email protected] 5756 taskdl.exe 5552 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 2112 taskse.exe 4332 @[email protected] 1524 taskdl.exe 5784 taskse.exe 5556 @[email protected] 4392 taskdl.exe 2072 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 1520 taskse.exe 4332 @[email protected] 2148 taskdl.exe 2168 taskse.exe 2368 @[email protected] 3416 taskdl.exe 2944 @[email protected] 3100 taskse.exe 2420 taskdl.exe 7164 taskse.exe 5844 @[email protected] 6240 taskdl.exe 6924 taskse.exe 6912 @[email protected] 6956 taskdl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Birele.exe -
Loads dropped DLL 8 IoCs
pid Process 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 692 rundll32.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1264 icacls.exe 1156 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000c000000023346-4764.dat upx behavioral1/memory/6068-4989-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/6068-24056-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oztitnmx349 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe" Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: Cerber5.exe File opened (read-only) \??\y: Cerber5.exe File opened (read-only) \??\z: Cerber5.exe File opened (read-only) \??\h: Cerber5.exe File opened (read-only) \??\i: Cerber5.exe File opened (read-only) \??\s: Cerber5.exe File opened (read-only) \??\t: Cerber5.exe File opened (read-only) \??\j: Cerber5.exe File opened (read-only) \??\x: Cerber5.exe File opened (read-only) \??\q: Cerber5.exe File opened (read-only) \??\r: Cerber5.exe File opened (read-only) \??\b: Cerber5.exe File opened (read-only) \??\k: Cerber5.exe File opened (read-only) \??\o: Cerber5.exe File opened (read-only) \??\p: Cerber5.exe File opened (read-only) \??\m: Cerber5.exe File opened (read-only) \??\n: Cerber5.exe File opened (read-only) \??\v: Cerber5.exe File opened (read-only) \??\w: Cerber5.exe File opened (read-only) \??\a: Cerber5.exe File opened (read-only) \??\e: Cerber5.exe File opened (read-only) \??\g: Cerber5.exe File opened (read-only) \??\l: Cerber5.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 127 raw.githubusercontent.com 128 raw.githubusercontent.com 146 raw.githubusercontent.com 166 camo.githubusercontent.com 800 raw.githubusercontent.com 805 raw.githubusercontent.com 820 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\is.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\io.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\fi.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h CoronaVirus.exe File opened for modification C:\Program Files\dotnet\dotnet.exe.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\ta.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\javafx-src.zip.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\hr.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\ThirdPartyNotices.txt CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.id-DC6DCDB9.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui CoronaVirus.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\E2A1.tmp rundll32.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\infpub.dat BadRabbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 10708 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 1388 taskkill.exe -
Modifies registry class 53 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" decrypt_WannaCryFake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" decrypt_WannaCryFake.exe Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 decrypt_WannaCryFake.exe Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" decrypt_WannaCryFake.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2547232018-1419253926-3356748848-1000\{BD5E1AC4-FCF9-46A8-8D2B-C121D5398371} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000 decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" decrypt_WannaCryFake.exe Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff decrypt_WannaCryFake.exe Set value (str) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents" decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 decrypt_WannaCryFake.exe Set value (data) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" decrypt_WannaCryFake.exe Set value (int) \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 decrypt_WannaCryFake.exe Key created \REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg decrypt_WannaCryFake.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 460 reg.exe -
NTFS ADS 11 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 969319.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 386100.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 726877.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 985146.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 199379.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 882036.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 489410.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 650445.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 118377.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 152629.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Local\system.exe\:SmartScreen:$DATA 7ev3n.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1492 schtasks.exe 1524 schtasks.exe 7076 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4044 msedge.exe 4044 msedge.exe 4588 msedge.exe 4588 msedge.exe 1336 identity_helper.exe 1336 identity_helper.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2432 msedge.exe 2292 msedge.exe 2292 msedge.exe 1564 msedge.exe 1564 msedge.exe 1340 msedge.exe 1340 msedge.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3292 taskhsvc.exe 3400 mspaint.exe 3400 mspaint.exe 3620 msedge.exe 3620 msedge.exe 5552 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 5552 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 2072 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 2072 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 6292 msedge.exe 6292 msedge.exe 6492 msedge.exe 6492 msedge.exe 2348 msedge.exe 2348 msedge.exe 5176 msedge.exe 5176 msedge.exe 5756 msedge.exe 5756 msedge.exe 5748 msedge.exe 5748 msedge.exe 6616 msedge.exe 6616 msedge.exe 5984 msedge.exe 5984 msedge.exe 4908 msedge.exe 4908 msedge.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 6060 E2A1.tmp 6060 E2A1.tmp 6060 E2A1.tmp 6060 E2A1.tmp 6060 E2A1.tmp 6060 E2A1.tmp 6060 E2A1.tmp 1112 CoronaVirus.exe 1112 CoronaVirus.exe 1112 CoronaVirus.exe 1112 CoronaVirus.exe 1112 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 4364 @[email protected] 5552 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 2072 Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe 3416 decrypt_WannaCryFake.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe Token: SeIncreaseQuotaPrivilege 2220 WMIC.exe Token: SeSecurityPrivilege 2220 WMIC.exe Token: SeTakeOwnershipPrivilege 2220 WMIC.exe Token: SeLoadDriverPrivilege 2220 WMIC.exe Token: SeSystemProfilePrivilege 2220 WMIC.exe Token: SeSystemtimePrivilege 2220 WMIC.exe Token: SeProfSingleProcessPrivilege 2220 WMIC.exe Token: SeIncBasePriorityPrivilege 2220 WMIC.exe Token: SeCreatePagefilePrivilege 2220 WMIC.exe Token: SeBackupPrivilege 2220 WMIC.exe Token: SeRestorePrivilege 2220 WMIC.exe Token: SeShutdownPrivilege 2220 WMIC.exe Token: SeDebugPrivilege 2220 WMIC.exe Token: SeSystemEnvironmentPrivilege 2220 WMIC.exe Token: SeRemoteShutdownPrivilege 2220 WMIC.exe Token: SeUndockPrivilege 2220 WMIC.exe Token: SeManageVolumePrivilege 2220 WMIC.exe Token: 33 2220 WMIC.exe Token: 34 2220 WMIC.exe Token: 35 2220 WMIC.exe Token: 36 2220 WMIC.exe Token: SeBackupPrivilege 4908 vssvc.exe Token: SeRestorePrivilege 4908 vssvc.exe Token: SeAuditPrivilege 4908 vssvc.exe Token: SeTcbPrivilege 4792 taskse.exe Token: SeTcbPrivilege 4792 taskse.exe Token: SeTcbPrivilege 4824 taskse.exe Token: SeTcbPrivilege 4824 taskse.exe Token: SeTcbPrivilege 4888 taskse.exe Token: SeTcbPrivilege 4888 taskse.exe Token: SeTcbPrivilege 4456 taskse.exe Token: SeTcbPrivilege 4456 taskse.exe Token: SeTcbPrivilege 2352 taskse.exe Token: SeTcbPrivilege 2352 taskse.exe Token: SeTcbPrivilege 4284 taskse.exe Token: SeTcbPrivilege 4284 taskse.exe Token: SeTcbPrivilege 2052 taskse.exe Token: SeTcbPrivilege 2052 taskse.exe Token: SeTcbPrivilege 400 taskse.exe Token: SeTcbPrivilege 400 taskse.exe Token: SeTcbPrivilege 1412 taskse.exe Token: SeTcbPrivilege 1412 taskse.exe Token: SeTcbPrivilege 5932 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4364 @[email protected] 4364 @[email protected] 4364 @[email protected] 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe 4588 msedge.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4588 wrote to memory of 1528 4588 msedge.exe 81 PID 4588 wrote to memory of 1528 4588 msedge.exe 81 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 1500 4588 msedge.exe 82 PID 4588 wrote to memory of 4044 4588 msedge.exe 83 PID 4588 wrote to memory of 4044 4588 msedge.exe 83 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 PID 4588 wrote to memory of 4208 4588 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1420 attrib.exe 1580 attrib.exe 760 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Dual_Keres_Prime.html1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba347182⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:22⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵PID:4896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:12⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3352 /prefetch:82⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3544 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:12⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:12⤵PID:2012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3312 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:1420
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:1264
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 302001720209411.bat3⤵PID:4416
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵PID:392
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE3⤵
- Views/modifies file attributes
PID:1580
-
-
C:\Users\Admin\Downloads\@[email protected]PID:1392
-
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3292
-
-
-
C:\Windows\SysWOW64\cmd.exePID:2720
-
C:\Users\Admin\Downloads\@[email protected]PID:1856
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:824
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4388
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3972
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oztitnmx349" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f3⤵PID:3088
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oztitnmx349" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:460
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4064
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3588
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1420
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3496
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Users\Admin\Downloads\@[email protected]PID:1948
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3172
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:440
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Users\Admin\Downloads\@[email protected]PID:2956
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:2600
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Users\Admin\Downloads\@[email protected]PID:4792
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3692
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Users\Admin\Downloads\@[email protected]PID:4800
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3748
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Users\Admin\Downloads\@[email protected]PID:468
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4740
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5932
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5940
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:5984
-
-
C:\Users\Admin\Downloads\taskse.exePID:4580
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5636
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:5756
-
-
C:\Users\Admin\Downloads\taskse.exePID:2112
-
-
C:\Users\Admin\Downloads\@[email protected]PID:4332
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:1524
-
-
C:\Users\Admin\Downloads\taskse.exePID:5784
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5556
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\Downloads\taskse.exePID:1520
-
-
C:\Users\Admin\Downloads\@[email protected]PID:4332
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\Downloads\taskse.exePID:2168
-
-
C:\Users\Admin\Downloads\@[email protected]PID:2368
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3416
-
-
C:\Users\Admin\Downloads\taskse.exePID:3100
-
-
C:\Users\Admin\Downloads\@[email protected]PID:2944
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:2420
-
-
C:\Users\Admin\Downloads\taskse.exePID:7164
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5844
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:6240
-
-
C:\Users\Admin\Downloads\taskse.exePID:6924
-
-
C:\Users\Admin\Downloads\@[email protected]PID:6912
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:6956
-
-
C:\Users\Admin\Downloads\taskse.exePID:6488
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3896
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:2156
-
-
C:\Users\Admin\Downloads\taskse.exePID:1624
-
-
C:\Users\Admin\Downloads\@[email protected]PID:4340
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:6148
-
-
C:\Users\Admin\Downloads\taskse.exePID:4064
-
-
C:\Users\Admin\Downloads\@[email protected]PID:6308
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:6668
-
-
C:\Users\Admin\Downloads\taskse.exePID:2848
-
-
C:\Users\Admin\Downloads\@[email protected]PID:7112
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:3040
-
-
C:\Users\Admin\Downloads\taskse.exePID:4636
-
-
C:\Users\Admin\Downloads\@[email protected]PID:1132
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:6544
-
-
C:\Users\Admin\Downloads\taskse.exePID:6660
-
-
C:\Users\Admin\Downloads\@[email protected]PID:6480
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:6544
-
-
C:\Users\Admin\Downloads\taskse.exePID:6536
-
-
C:\Users\Admin\Downloads\@[email protected]PID:2348
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:6400
-
-
C:\Users\Admin\Downloads\taskse.exePID:13888
-
-
C:\Users\Admin\Downloads\@[email protected]PID:9948
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵PID:17316
-
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:760
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:1156
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:12⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:12⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:12⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:12⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:12⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:12⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:12⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:12⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9252 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9228 /prefetch:12⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9592 /prefetch:12⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9912 /prefetch:12⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10104 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10112 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10140 /prefetch:12⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8976 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:12⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:12⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:12⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10964 /prefetch:12⤵PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10120 /prefetch:12⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:12⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:12⤵PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9764 /prefetch:12⤵PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9888 /prefetch:12⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:12⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9104 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:12⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:12⤵PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10532 /prefetch:82⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵PID:6964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11428 /prefetch:12⤵PID:6652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:12⤵PID:6240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:12⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8924 /prefetch:82⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6492
-
-
C:\Users\Admin\Downloads\decrypt_WannaCryFake.exe"C:\Users\Admin\Downloads\decrypt_WannaCryFake.exe"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11016 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9020 /prefetch:12⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:12⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:12⤵PID:6916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:12⤵PID:6424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9588 /prefetch:12⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10548 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11776 /prefetch:12⤵PID:6760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11708 /prefetch:12⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12284 /prefetch:82⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11524 /prefetch:82⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11708 /prefetch:82⤵PID:6520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7696 /prefetch:82⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7040 /prefetch:82⤵PID:6896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12060 /prefetch:82⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10052 /prefetch:82⤵PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10552 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:27636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11032 /prefetch:12⤵PID:31616
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1396
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4992
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4576
-
C:\Users\Public\Desktop\@[email protected]"C:\Users\Public\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4364
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\79114d9a975b4afaac14f6f2893cb39d /t 556 /p 43641⤵PID:4856
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:1928
-
C:\Users\Public\Desktop\@[email protected]"C:\Users\Public\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x5301⤵PID:3624
-
C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta39cc9a4h75e5h4feeh90d5haf6349c932db1⤵PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba347182⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11917980712111367937,18068633962221447351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:6284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11917980712111367937,18068633962221447351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:6292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault80030d8bh259dh48fch9eaah9c77651aaf401⤵PID:6648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba347182⤵PID:6672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10846418160723145354,15662581185265134970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:6932
-
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
PID:6332
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"1⤵
- NTFS ADS
PID:6416 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵PID:4500
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:7076
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:1144
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
PID:3944
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵PID:3540
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
PID:5528
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵PID:5052
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵PID:6224
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵PID:5116
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵PID:6240
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵PID:3708
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵PID:4536
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵PID:3636
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
PID:3900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵PID:6536
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵PID:2900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵PID:4792
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵PID:4500
-
-
-
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"1⤵PID:4480
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Drops file in Windows directory
PID:7052 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:692 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:6288
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2739046904 && exit"3⤵PID:6932
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2739046904 && exit"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1524
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:27:003⤵PID:6820
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:27:004⤵
- Scheduled Task/Job: Scheduled Task
PID:1492
-
-
-
C:\Windows\E2A1.tmp"C:\Windows\E2A1.tmp" \\.\pipe\{B2EF09DE-15DB-49E1-A739-766D02B5B321}3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6060
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:3⤵PID:32736
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon3⤵PID:24736
-
-
-
C:\Users\Admin\Downloads\Birele.exe"C:\Users\Admin\Downloads\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
PID:6068 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
PID:1388
-
-
C:\Users\Admin\Downloads\Cerber5.exe"C:\Users\Admin\Downloads\Cerber5.exe"1⤵
- Enumerates connected drives
PID:3812 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6728
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4792
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:628
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:32952
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:10708
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3818855 /state1:0x41c64e6d1⤵PID:10640
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7z.dll.id-DC6DCDB9.[[email protected]].ncov
Filesize2.5MB
MD5ca78910af62fb6c4843de8ccff099601
SHA14949d071c58776879cbef70e77a9cff9d20ee53d
SHA256e119e6e1e4b49531496a46831ab0b5645654ff380d4f862b7a2d8653b7ac4b89
SHA512aaad2b6a72e4bef2f072adea69b15b70fca181b05b55acadd0e14cd144eb60c2f369752e2fee706b3088eefc905056167984f5edef11ddf8cafdce5bfc1f323c
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize585B
MD52a8ebc0f637ffb44240a732e28adac8f
SHA1abe145c56c1b5376a3f97ca0e09a5ff3f2f95cb8
SHA25691e0d501be3cb51b02920e9992e028ea2d23803df792906736adf539dfccf876
SHA51244354a5e54222809b9d87c51b1d2741002f227cf7d6005cb163e99597f43c7f1c1c7f4d62b1aa8e354d640c1f384ffb9ac3e8166e27119ee5b40be64a87532d2
-
Filesize
152B
MD5f0f818d52a59eb6cf9c4dd2a1c844df9
SHA126afc4b28c0287274624690bd5bd4786cfe11d16
SHA25658c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61
SHA5127e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509
-
Filesize
152B
MD50331fa75ac7846bafcf885ea76d47447
SHA15a141ffda430e091153fefc4aa36317422ba28ae
SHA25664b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a
SHA512f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2
-
Filesize
152B
MD5982d79c56a1c24338bb257728ad39519
SHA1f5500b0afb526d08f75ada9afbd03e3fdec20c06
SHA2567dc4e0f4db6e670eeaf0678d71994fbcc647fab636e1d0001af7632ec524e728
SHA51262d4fc3f8ce77455dd13d75d7bce1760be6429482041199c17c35d0e0008f8b843527cef11ea22b744820eeb2cdbfc0959481e5d3eb613eb8b5155cd07a02164
-
Filesize
152B
MD56f59f4933867eb943f7e0f193720b4e9
SHA147105e52e5e43c9a1426b044e194524fa3b44ff3
SHA256764302e7a7135fd4d98e507215ebb05a633c1ee97801ac554ba0b8babfb773a2
SHA512a69e93acd7849dceb05f016dda2fe477f7d4f49d1749f9793df0f5ceb119b100677bf3688e49fd89392b8d12c377e1ea500136c63a0e12458b65a90fa6b2cf94
-
Filesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
41KB
MD53358e831188c51a7d8c6be54efafc248
SHA14b909f88f7b6d0a633824e354185748474a902a5
SHA256c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff
SHA512c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
Filesize
43KB
MD5209af4da7e0c3b2a6471a968ba1fc992
SHA12240c2da3eba4f30b0c3ef2205ce7848ecff9e3f
SHA256ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403
SHA51209201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35
-
Filesize
73KB
MD57322a4b055089c74d35641df8ed19efa
SHA1b9130bf21364c84ac5ed20d58577f5213ec957a1
SHA256c27e6cbe88590ba6a04271b99d56aa22212ccf811a5d17a544ee816530d5fd44
SHA512bad26b076fa0888bf7680f416b39417abe0c76c6366b87e5a420f7bc5a881cc81f65b3ef4af4ba792aa6030bcf08bdc56b462775f38c4dbf48ff4d842c971bea
-
Filesize
62KB
MD51721006aa7e52dafddd68998f1ca9ac0
SHA1884e3081a1227cd1ed4ec63fb0a98bec572165ba
SHA256c16e012546b3d1ef206a1ecbbb7bf8b5dfd0c13cfeb3bdc8af8c11eaa9da8b84
SHA512ff7bfd489dc8c5001eea8f823e5ec7abf134e8ad52ee9544a8f4c20800cb67a724ec157ca8f4c434a94262a8e07c3452b6ad994510b2b9118c78e2f53d75a493
-
Filesize
16KB
MD59c6b5ce6b3452e98573e6409c34dd73c
SHA1de607fadef62e36945a409a838eb8fc36d819b42
SHA256cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc
SHA5124cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7
-
Filesize
3KB
MD5b308b21c727760306bd424ee6894105c
SHA1ece8f1d7fdd07483e387f53cc357272ae6de9083
SHA256cb60c18be2c79811c1fc4113febe2f692d6d6d11084052e40c5f89fdff74d93c
SHA512b8f31f62fd57cdb88072970599b8d9023ae42c7a267b85f69e24b7c92c3f22fe04ef15330124334fa31a0ae0b31c34dc0d93b25d90870fd4314ad53843ad1b9b
-
Filesize
1KB
MD51a159953456b5406df356c43c8b32670
SHA1c3d2420ef218b2e27581620c53454df194fd38f6
SHA256e683e10864f4892be14fef2df34cd90d2902ff0dbfab8ff2fb7492cc68903a42
SHA512b1e6b7a9a93d9486f75a1b5211b0892d2857998ee216dbccb1ba02555be6123c1c01f03a7809ae8639554e05c9c31e9eb44b943a539b5048d02f0ec42c48a00f
-
Filesize
1KB
MD5da8585745e523151e35f677ca4e5d3d9
SHA1002f4ad13ffcfdeb62a81cbad8b14fb711254ab6
SHA2567eaba01c015047c5b823851f980e3a02e1fdab544625a7aea5436af05b9dab01
SHA5129ce3ca15a8a6c1e14c4c34633d6214f4413f0e2aa5609f0447074664b9a5db224afb057c7896755e5119df73a0d2f345fd3517da6f80db1b2b3881155a8ea305
-
Filesize
3KB
MD5af7cfaa2e8ae67a7a6f47969b71aad8f
SHA1684cb6e1469ac65969443e47144281c8dc433d56
SHA25634a59e83d7aae1d244ec8f134021bbe4cb8a8bb1b4becd735843dcfeaea8e270
SHA512cb17451aaba90bd3d646619475d78152f56182f5114f6e29cc1827bf9c9ee86d5642d6874ca40258e4438c3a8b15816a3f405b0101d97ad2abc4412b82c0d052
-
Filesize
104KB
MD589e6f5561def4070923b9365cdab0439
SHA123d0cbfb4e9ab6558892bdb449090d04186f322c
SHA256da8b8fdda05f3a5924a9c9fa1e964749660ea334a31322eb4a0efd698b388a90
SHA51267e0faaa7ab5ad832bc1bcb6ed2a0bf4f5fb9a9a2d49ca277f91f73df51660b6084cb2023df86b2895a06b764f53bcbac27fadcbbdc4dd6a365224101c7ac4df
-
Filesize
1KB
MD5c5ac3fa4062ff4f69ca75672b3f2c0de
SHA1dad6f5bfc71ef1b64cadf92a86a25ada8eca31b3
SHA2563db4f1960968018143db498881da1063de23dfc12865e1e64d4e166845919633
SHA512586faf5ac303badc417853b413fb1437a3ec2815d29d0255492a461ca49c3b485dcb8f89b97e5db23572bee2d8784cd3836eb83fd8ed66b8881e14de7f70ee13
-
Filesize
275B
MD508a70f99c27d2b822523a2c0c6b092ec
SHA103e9cfb5568e8c29b23842738a51acca75490ad9
SHA2565509bd6d706e4479ac94eb735397e889268d6468c0dbc762728d83016792b2aa
SHA51270f09a3b21d7875a03a861bbe63d9e9753c9671c9bf23b9ee8a1446caa019dca1821eadd202b82dc991e59e33b3690055749ee88a46f2cc35840faa24c7e4d58
-
Filesize
32KB
MD5f9f91f41b29feeb22d8a1202b06c5b34
SHA163b8ce746f9ddc553e7ac372795da314b8cc7624
SHA25629e24e0fd791519b3525c9e602d88911237d29d4fc044abfdc13f064f72c8ede
SHA512183b03a8c1dce2b16e9355c5fc2a3158e412c4aad094e0bb9003df8dbfd4e66402e81975f79b8b924e356037abcb4410b4c468db62ddad240312d6f2f0ab6ea3
-
Filesize
1KB
MD5cf84aeee4d353547260c44d2e94dab73
SHA147300773f294439a7cfa134da95cef79faca417e
SHA25602ff860ba1094da253d86ccb068e7cfc8b4487fb8610987cf64eb0299a7fe0c8
SHA512eb3189114e242bf8e0ad98f97b88a3a62dc9d63bb3cd407e420a381410ad796c4c50fa6bf9c8f40bb3d7a0ab3ac74e0d615271f55a83dec81cc35688243f0931
-
Filesize
1KB
MD562b01e4887627a24cb2f031633fdbbc1
SHA1b7dbe0d92eab3d65cdc3b082a22252c992b7a6ee
SHA256343279175f1e14f992874a603faf1b505cee5fb51edb7479f544f70e7f8e403a
SHA51230037eda6cc5b1d2cb96d8e8ab76e0d4c42895fcecaae638272b280313514399eb2dd844c30fc9a79c3cf3605fdabc5031e8686bd2409e2d4c165165af341981
-
Filesize
4KB
MD5d75e0e124e901de5d139ff65f70312f0
SHA10090962aacfe42e681f6a87934dfc646ef4fbb75
SHA2562e606e15d8be303ae603f2dcdb53f0cd2fabcb9d69dbaf485fc9d443c241cd75
SHA51258b8ca30b0359ab2e686144d4ac41b7e2823ab831f7eb23bb5865b337231198f55fe2e776d68ffb978b2068661cffef6560d24b2a19456dbf1c74b72f2da5841
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize7KB
MD5e7fd33d52aabec58ef59efe101c93792
SHA106c530ac37f1a9e9f242c03c9c1ec271287962e2
SHA2561a4d525c550cd9f3b716aa35556946ecf751b164b3f67a6ee09bd1e5a3d9057e
SHA5128d6646e8a104adb570b7a77626bae9e9a5dc636ec98c60a7a0624ef80fce37499fc63a90d7d6ad268c767605730adf136251d148b6ebc6abf3db24f6914fdc4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5ca3b337d03f244d553d5d925955dbb31
SHA130a2ec5412d00fae45c4a35c396c126e95f73fb2
SHA256ac36c561f60f118cecc10eb268687aa1edcf1fd2dda6b31b4f6be9e80fcfa3ef
SHA5124b034d0c6e84273ce755b05091acb3c6916c810329226d075af173ab69d2d74ce37784a23a3aff43365af9238e237b85d9082c2edeb8436ebd4381343eea1957
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize7KB
MD5471ca65dcc24f363886c674d27986a8c
SHA11cc8a5438e891b18f8181df01c2105b662efa8df
SHA256314f1f72825c6f57b2236b908cc392ac38f0f02ea5df4d885d4302ad080f696b
SHA51268cbe3362dc239048c7238f846952ae98508b759d49ea9f31db49f2e68a57d4b737361c510d63feab18e8000104fd80258e06f86c66036bb6a5b7531be04ddef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5dc597ad4395f9da94c7fc4c1ed871482
SHA168f419156f847d001a3b3433da59e15426afe665
SHA25603d7ba31038dfcc083f0b6a8e2320a3196989e22c31f98a832cab6b0649f8918
SHA5121653e17cbadca7c02d4a8111cc1a502c434bbf11234e55051bffa3b77108a0baca1b2fe29fd4e4c5822477903edf3df6ec1f5eda1d43e2ba9ee140c9391b949d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5fefbdd63ee49570fdcaa41631af73ed1
SHA166eae99aead36889ff590c33c2ec702361a5ae6c
SHA2564cfd6fee9d8fdd63c0c63d1fbfaa048d1fbf92372bfb258837a9c43c24bd86e0
SHA512eab935279eef4c50d8caeed05d5f2493794b7adda5762a0da7116ce0ba11b7e0d3888a9cbb96cccfec8c42c4e6354924c7c80d86117f8e5b993322ec3d4be991
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5bb1d6c4c28a29747a611e3ea38c7b73c
SHA11c92019fe9a4749d0a04d5ef9e204e9f90e0da36
SHA25611403e0c96c3f0cadf7c92c13bd752ed972efb065b8c4659f920ba51d6b808ba
SHA512c5103a8c0b0fdbfe83a7a3af28aa41679ee612ca969d12ff1ef8c2010717df66a7f14f64ec220d6e89c15af1e7558c12eaeb051fcb96ac267b39c5ea46f8c7f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD55b0052ecd9c3c9cd5317ac7f61cf8e63
SHA11b9dbd8dfa4305c476ced66ea7cb3a4ee291d76d
SHA2564328eeb608ff88a663ece36d7f94b4dc9d5bf356f2140a9d65a58111aab53387
SHA5122f69d2248731b5827d2b4090d074f85c5b1edc675d3e4539ac63f8f6942834e6bc497231ce2dcf3454e88976e8a436661d5c56fcaf493f0b2d0713f716497e82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize7KB
MD5e6030e57ffc34937a734c91d4929a4c9
SHA1b6db33bd0c60572e50eec80ecdf2c928bc5fbfa3
SHA25616b7928ca6a471d3ae561bdfaeafa101130a3829518f5ad40c04c9618aa81fd7
SHA51205662e10c49a130df771d0481a9b8b650eb4d362d04de3cb37352ec1dda205bc8fff73a85cdd1cc9b5b278a60aa88039b49d833af4803002e4fd6749f2ccb4ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize7KB
MD54c3fbee6d23fc3779e818d4492a172c2
SHA19ce96c788c4e2f2b079dfb60fba8c343a54689b4
SHA256b6c3ebd344c5bd0f12f3f4a36778dd3fb7636c98e70fc78ae77114cbd1270c91
SHA5123d9c86fa28f1fcf7cb92bd88330d1ea42582704daf5b8d8cba1089e002497e913209e3806ef0b7f64385fd3f183726fb32635eab4b8db659e38500b3c7832855
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.fandom.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
14KB
MD5edc87f648a36e0ce80abd630aab3a38f
SHA11b1fb6bcc2a0f81463a407161de5964bcddb5da3
SHA25644460d3601ba2cb566f87916a67e3060f6019008b983dd6e96cb7d275927e661
SHA512f9a9f93d2a7a3fc74da1a2533e59602027f9a93373e1181e56bcc0aa457a79bc2a11be8ff94005133dd6aef189a0516deffcccb21c5d73bc1c92756eed25dcb8
-
Filesize
15KB
MD55a599790a8fdec5868a0ea4c3804ac93
SHA18e3241446c0cc95dd3ec040f412cffe7631acfaf
SHA256759c5bbaf6ce94683817f1ee51c6f70413970b2a649f81d2e5ceba30f6e3f908
SHA512b8d4bfcefa148d604253267dc6a73f4b296ca76400d003766b43ae0e3348cef656368887e71c12fce845eeefb83602f91473d848f13a1a39f0b813082bae9363
-
Filesize
543B
MD51176299d43c84fd5f6555464d04f9ed4
SHA17475a2eec66d4034735ed27625318f34c3959c94
SHA2563e0d5f616d52df1b7392bc8ee3c61ef9b22f25b4f671c9751b54267eb38051f5
SHA512d15520bba652045d1b6d67aa9d062be1421215074b89c1b0b8e2d8e3c11ab7befe4bdede2e23c870eabe9838d4c37c1d464832666b525338949cac1e88e8e696
-
Filesize
1KB
MD59c15501239e1d64521ad44cfbd5d4166
SHA1fb99dfaa102a31621a8eb41c9b08b372d98c48b3
SHA256370dda815f4e154d4762bcd9b5a46b38cfd423e5f2e50234797450701c9cd423
SHA512d7f65e41a7ce31ba0652ec7118a6eac0c0b4d728a03ed787f807783fa1868ba1f08c6e8d3b2123a61e7308c3653705d4400a6d612c65e59a3847b71eda9a45c2
-
Filesize
15KB
MD5190aabd1e9bc6366a66a49c740631c9a
SHA1d02f6fb90ed27d9e39bc6bb1d0f8353a86e88c2f
SHA256f4790bea24103fafee202fa357755facb39f712f5b431d6793474ba95e62462a
SHA5122955e9fae03a5a71736f00209d8c9139d8650b971f5bcc3e3c2135e394f5b8779dd485520f011255a2ce89404b112ce64aa5739414d061b41252bb5c1de23b89
-
Filesize
1KB
MD5685c6420d19f5f19191178606fbcb260
SHA1f147f726b6f2ac65b9bd04c1d8106a0b6c711fda
SHA2569e91af357b5b3f7dc3cff42f5727e3acfe66d42acdc33ca760e2b9ed56aac06f
SHA512e03a2a115adfe622be6cd968ebf475abf8aeb6c2efa277083e1ea9659efcb32f254df0cb8dfbb52675e03e1effd938ffc7e8e17045b3f1b9506b614767d86d0c
-
Filesize
15KB
MD5da097ef5e0deb069e7cb0c16a961bf01
SHA1299b5212814ce8f8614c0fbe0dc4e7eea715f495
SHA256e1221684fd3e86cd847b017b8d87bfd23cc09e31a8697b25be695b96d36c2151
SHA512a8989c1c53c3661832ca142c9f1a05c34fddf96282febf62f8812fd5e7ba7552be219670d68fe6b92793240796690d78e6038e7d253f146452b1d40c38f94205
-
Filesize
12KB
MD544717861bc7d06c31261b6842e511525
SHA1fa892f049b2b0e6208c96cc7ad304c1a5f8f5d49
SHA25681be588f9111b91dd53429bb2d903f81e3bbeacbafd4f0ece3f95edfe9b24660
SHA512cbf80a99506c843c3f4d63e9bd9c3b841ed6dbdce5acc96a3b2c5d4f368fa27dab56895589e06ffeb720b41009b68d01c0d672149309e793eae339d10c817575
-
Filesize
17KB
MD5884f79c07f02db07fe3d2972728c4e99
SHA1adb26b90bfd4a68134a6946b2654671df87344cf
SHA256fd211a4d1b43437a5938a5425e2b3bbb77093fa7fa476597bebc6aab136c7c66
SHA5124120152af0fa35dd1a401a703a24b6167a6f3787afc5cdf4069a5228c8fec0bc5b41d1b5e4fa9cda1e62d892a01db94d452ca26709479dd3447004caa7be0050
-
Filesize
19KB
MD5dcfb8dfe8e25a5c11d47b28b58f2f6a7
SHA13ee1b6d1510b21eeebd939493a91b358f4c68153
SHA256e79df49556dac3904662543a56bf8b6e0f8bd10e877178e0cb3059a41f2d90b3
SHA5120f300509eaa4b9133d96982f770bc619177b78b9aef9c57d74bc0be37ba5a99a8d7b543850e45f3b0970fe88761957d3edc3fa720cc4ee7d916b64d474bf9575
-
Filesize
7KB
MD504dd84c25617e9639fc57e36c149dc0b
SHA16d60931f963170e3fe79a00ee6f527d11441f354
SHA256ce07ae052fddf2d7a7a3f580553c222b10d3e5e8c672c18d785decd2169abbe1
SHA512d721dcf014f03a9ce087342cc82bfc1215a738dc13a842ee97a855a1ac823050d9bbd2b8f4799f0c4669589e2f8fc5e6ac0adfd664b45d4e8128c383dcfa6ac8
-
Filesize
6KB
MD55069be224ee6429513cc0da0cd67a13d
SHA156a244603451a93d9e7581c577e75d924c6df97f
SHA25624b43bee08f6156a771851acdb142b52076c803a4dc7d5d6fe6b2d309b661697
SHA51284a36a26bcd144347981c0791a29487b7a423f3356ed96ce356585c127422900c2efd01e6031667edc22303070673222b80d3dd2fb811ef1bfa718078650d54b
-
Filesize
19KB
MD595450940de86cd29501662c170267b2f
SHA10d40deef6f0aab8488dec8355939d4ac288c3765
SHA256688639f16fd3a3eddce23847c62bbd5c53a55503a17e2dadabb3edc833d78c15
SHA512bdd791a865e6a2f8218e20897423c7d2df1b6f8f9ed89f7d5638488c91b0473146cf603598020b0bcc95e72aba102defa0ebefb7eabb88b6e36d367042a82208
-
Filesize
6KB
MD53411eb95d387173da8f04b9928060d63
SHA1df59f750279aa3f5caf49d24ed4b2d7e3bd14e56
SHA256edcc5cbc8224e7838ed328702451441b5964a9a4e63bea33738559e1e3b53fa4
SHA5123725fc22084928a1c61b1a27157e7f9276e85b649a3e7a282ffa58c349d10572aaf813763445e33ee5b0b6f97f87f59e6b021d96ab7ccdef171d94f9bf24df06
-
Filesize
6KB
MD5d89f3102dbd0fffdedfa790b3849131e
SHA17bbca145923f6fd59b811c015ac6847508084077
SHA256c5da7a9cacda2a38308da4bd750e561e8c4a5ff54e277117eb5f0430aebc7f77
SHA512c1cd0e0a155fb3f1ad04e0541be4bb0dd4cb925315cb41e30eca44f4657725c17b52d6db749ac2d065d365d735797ed45c9e9a90c4b6dd6c47fb2b3b23473ad1
-
Filesize
6KB
MD5f4cd42ac4cd84a43c67229cdf8b60d52
SHA123678a74b3ef36612b059cc75600fbcf0659b5b9
SHA256d3a5d32a10cd0c1d1007708f12139c7306a37c5b6b4c6f86d179c44664dcc142
SHA512596d5d0de3dfb517251ff6d1dee18eb9dac5e92edf7c7c756f6b00bcf6aaa996bc1454732e0f831e4dcf981a54f83e59ab586ab905e40f3d2e34f9f6b4d11415
-
Filesize
7KB
MD5dff8ccdb99975906f29ae5fdc4bec4b8
SHA11780459dc036b08e181954b8069ef3e59417054e
SHA256fae12135d01f66a723c185f459544b0d34bcc70350e9088f1df4b5f4153d9fbd
SHA512adf8d51cfb1b8b79add809aa52dda60945cfe3bd58cb839f2873106e216c77dc84fba48b41881a32558cf3c2f04dd9b86aa4d8930dd29b91d1b1a690c74ce687
-
Filesize
7KB
MD528b9347e7926df4003953aecee4e99d5
SHA19779752425a12f072e10d9e8a4479fc9d97f7ed2
SHA2565f07122ef21bbb0a89c7a97477d45fbdffeb6fddf7405cf66dfeb2cbe6699835
SHA5128f59bd02faad65d5774dbf63766bc85f00143e49037eb38780ee6b97eeab5ce4cc2c8529036eca3d9a7ef98ede04844e6d860e75471242d672f61c581281d1f9
-
Filesize
7KB
MD55c608867982c9269df962b0925df862b
SHA10e26bb2e61d1db2f7d23bc3df0c03bb0a51555a2
SHA256caac75a3b05e20354ba08eb00548cab9e1b57d873f8f725bc123bb76cfd6d0f4
SHA51236899466d66bc6c28a73676659a78436e11824c853ab0a0e67c0394a6d56f8eca93c144c073a887133a837e67bbc3d4d2ab5bfca52efd74100d18202b921cb15
-
Filesize
19KB
MD5856b43a6fc3f4886750d2360867025e8
SHA1a67afdecd9fe6de10abfea9fa287297a18f6244d
SHA256db7d4e1782fd428740229cc1736a6191a271ad5228f907966aeedf4b86c4815d
SHA51217bafca176b3e77f6a5542a8e93e93fb95691a88391f5f5f066e5684848c5335371300cc0c9ecbdfead8491b8094a33c24cf33284f190ff220443ca9e3be77cb
-
Filesize
19KB
MD5dfe24578df593d6153e95d671447066a
SHA147de6bec95dc3d46f09b9567d15971840a37e9e6
SHA256eb5f8c4dd83267cba549d76e1b216ee167f703073d12360cd13d1f73d0e6e13e
SHA5126e018ab4c7978a5de4d916489441a90035ccae07ebb235a7c31bef5bdf7ec21f0fdecb5e6b0692f745bbf888d7b0daceb9b1ac59073eed06b7774e0b0d044863
-
Filesize
7KB
MD522d9dd34de9e388c1da5a5fb8b080477
SHA13e28ace1f4c813b9887945e998728b3539fac6f1
SHA2560a58789da4a1da09ae5cd73e0559c867510d130125287d695d9dde2aa30eafd3
SHA5125c3d030ff8b98d30656524b0f25ce2a5e4b5ccbc466072677611c91c0933605df879095279cf7bbf10e6633eda240284177a32b0d908acb2e1ee095ee5ae2031
-
Filesize
19KB
MD5a0eceb2e419130c09b37832bf0d9da0f
SHA1dc3fdead61e52941cce03c5458c21bc84525ee1e
SHA256d6807ac23915a16d82d198b3ae0280bed55ec7135d871877f74ca72cace4e01f
SHA512b6574ae2c2f1842428b1db367f669f49af1f45e475d3d5e7deeda4d9632b272217ce051f3c1e6ed81a82a2dfa5d7aeefe8460dea4b5cfcf42bf8aaffc94ef648
-
Filesize
19KB
MD52009f8ee004b20b29fed96fcb449cecf
SHA1faf1d9ada620d0e062be18dd6e352bb1b2532d59
SHA2564b84b2857af57e46ac5795517dbfd50d8a98f6b29271075edb315a0020be04c8
SHA5120f6bd12b7a4ae8dbc4abac989d90b93cb0a9179ff62771099f8776b0c40e34da60fb95816846a76932c7202dc0c856352fa40453b94dec2eabe3ba528b7cc6b1
-
Filesize
19KB
MD5625a8fd564f0ba26ead8e5d22604e391
SHA1a438df1ccbf9e6dc5f85963856f90c8ea0fd21de
SHA256dd274d667c3b5d2a1334ca6bc45f176bbee4e555ab5c549d2350043deceeed87
SHA5124d24bbcaf853f29a0aa803c311b8d8ffd9378d76056b08feec9196e34a5621dbe81f313e91d2f4a7589a153910bf6538fd632d6a5d454c2e8706955a58b67eeb
-
Filesize
7KB
MD54e27d2a5ec265f3dfa3e60fc8c429743
SHA10db9c711b9a4b60b36f7a05a84971462efb4af84
SHA2563bef0ad825d6432cc710214eb0a0f6dae72e996c09efb474a1b8e0eb0610b3b2
SHA5125e58b06fdeb0e69fd1d1972555ef1375997228e398873e47a831012dbceee6625e372a82426efc2a7ccfe42a2bffea17d2ac6492e2cb852a0fca874c340df46d
-
Filesize
4KB
MD50b453fa21e4f546469b8667816d18ffa
SHA1ca2c0e25dd207684736ce3e19777055c1410e697
SHA2566264eff4393261878fd1ceb9da4fc39796647a4c923c96dbda086e1320cb3964
SHA51247d401400c9680ce2e4d003e66ec7af5b475826d6e7bfa191cdd456ad2ababc77f6ed1ac5b7493dc2e41dac99183f67ae25da7442408ae150547ee072d3ec512
-
Filesize
7KB
MD580902e9cbfb808aaa00407983e3a5d7c
SHA13b0307bb9fdff8669eed69fc0ff176fa7a19a851
SHA2568eff5d79bceef0843cde0a97b882fffac13c8692769949c0d4bdbfbbe9c7bbe5
SHA5123f30a432a59fa8eae6ff212c2b96e5c3f10fbede795f181deb54124f2036b958830a1faccc8032b462c2a0ffb1ac15d8a1b34f61eef1dd46f11c062abb8dcbd3
-
Filesize
7KB
MD5bee4999eec0bfef54d1480ea5e29e14c
SHA185dd7f78c0b40ba4325b9b56e35e0dfeac4cbc8a
SHA256ef44300f28ca5b66e203b01f32ed144034f1dfe4033e5d26abff97397d8ad015
SHA5123b5b4fec0f27ef921f499d0375b54e73163aaf0b8ebf30c457ec51cfebe3368aff68c437da2abdad24bf234bf3fe0269eaa935ad85f007f70d4b778a8decfc18
-
Filesize
6KB
MD55600ababfbaf72eb9e47354be1bdd7c2
SHA1109ec0325841cbbfbb9bd2bd08e3b087ad022912
SHA2560385c76edac9364f9c6e9bdd2f438fd43b2aa2fef10291e7b9d8087ee3b1ea81
SHA512cbf2ef638704d267f1c63546159bafabc407031a913ed40fc96eb887178917618c93507bcf80abc7e81ba1fd7c56d427d718791811bff43a4269e66be4ca9890
-
Filesize
7KB
MD5afc71b165a7dc9f733fb503862ad76b3
SHA1eb976a079275b7b25d61f7d4129dcb0b3fe1ac27
SHA2560b0feff038fc55b4d4d3ab1bc088893666a2506ab9572bf1feedf246c52cde5e
SHA512f4fee0f72f311f15e19a78fea1c349d810c4d2d9f5a87d43df0ac64f16faf39a973f6a5de18496a096a12936b1d7b5b6511c37d462db5af4504e06e56bf2e658
-
Filesize
7KB
MD516bdbe8af95c46ab47a2d552135426d8
SHA1106d7318d51cb70a4618ff28508953de3e40cc8d
SHA256a02ba98dd1fe6c87f039693176b29a96e0900c3c84b59fd691bca63a197da796
SHA512920c5ef414600274f8f3dbe0369a2f857facc819a7f50a50b99fe3eb35e486991a4b8898001927ce3b5bbf91f0ca656c24a0257492911504cd2bdad7a1aff125
-
Filesize
1KB
MD5af66646c2598db22614d5eedf1252821
SHA1fe6cfee2ce30d3a4cbf2cfc61966323c7f3d7809
SHA25609f6015d628d887396f723eaa946ae7f65bb97c8923f9b79c19c388d00f67804
SHA512b11e5b5cef4d34c338ea53b31bffc54d9e46cdb00fcdfa3031d60bf879493f84820512c80882d794187e5d9139c0c5f898a329fe5305bd6aa6e2b66b2f8b0e95
-
Filesize
1KB
MD56e14cf6eef080dfe5cec906c0fd87667
SHA179d0e1895b49ae69ad9dd80aff472f888a004630
SHA256a703fc21135167df83bd5de46e0f69d7b6a43f48617b5465e172b1faf3f2c0da
SHA51286921779c10e48a7ac5dda1131c752c2b97ef5b29545cb6f639c1339cac1349f6c017821505e9b8dd661b046e63adc35ffc321411ce4012f53ad13656e1eaae3
-
Filesize
1KB
MD5695e4e65f236d01b85aca7f0b5378736
SHA1cd20f4f476f821e0f0b673fc5a98430fde7293fa
SHA256d67a82c8bf64682c623aa529872f59b9ca2a3ab94de2fe534bb1d1e9f66e7f8a
SHA512777d501df29203419790d1298dc74327811824263b50d799ce172f19090c480427baaff07399a4ff45b0fb70480f0b912926049d5d84a8f7f7a90a6b7834d361
-
Filesize
1KB
MD5acd9944de9f18ab045eba87a6c8a5a98
SHA16be50cae2607871e6b8d601f58251f78ae689cb6
SHA25603c923784fbae355d686ae03488753166f8c7e2528447f4b028cde6aae0e7452
SHA512f0ff500d8da2fe1339bdd46fb4a76f65370ff20f3e2d9aea813514d0c134808c4e2ec881636b2ca01bcddee4ed993d4af334ebd0593b0048c58be3dd4e387d58
-
Filesize
7KB
MD561fbd5746321e186a2dc85d56446ca88
SHA1ea4c7fce878d59d657ffef51b61cf5aaaed0ba97
SHA256568b327ae9bda202e4ba6340dc9fa7017ba4c4f17d54e4f4f6e4206bf748e125
SHA512ad824f0058b4d360fbdf7a69cead8f93412a14e4154e9f51301ac56efff6f4ab299c12d16c262316f28040f3106cd74a60f4371aa965bf5c6cb1787ca3c351bc
-
Filesize
1KB
MD500cb83f38be811789213455f0090586f
SHA14ed6dba085d7eba8c489ff029c94edb7377ae292
SHA256dd44d6022d5bc4857ccf589d354ceae900430ac287e6f011ff8e3d531160f8fa
SHA512887f3bd132a6f3881aa35c2ce64e038ab8ed47da9c97809ae29efe48dce562dd6a86c8c4d41e86d128ae8e0af4dd6cf9921e21b51206ceb38f53c769491218cf
-
Filesize
1KB
MD57f48e12c664157f78a385a8024932381
SHA19190812be73125eff725a307cd0482774bca2023
SHA25695f4f9d6b3c3455daef49deeee048c51ce46a45dafad5c1b13418493d8227ada
SHA51287e66e7f492f9435188624cbf41000ac463abd753911bd22d5322cdc41ac91c4b3f14454b5e5d6c006d171f26bdb1ff3cd637df388482b8fe9dbdc66f0b75952
-
Filesize
7KB
MD5c773c0cabb2cec103afb23c692e53651
SHA1a6e631413de4405851278356a200483391a56b41
SHA2562fe651f3d1dad18c7eae21a8c8351d61ba40554dcc151ba6ce4c5ef06803a56c
SHA51203b28043c2893eacec969e2024ed4482f2fa9cbc24f7e42a7422d3e944a5ecd5e37120109df57473b9a3493de1575ce34d3e9817cc9fbd851e774134d2250cfd
-
Filesize
7KB
MD5cd1b84328634ea783ac06ddf08878761
SHA1552553d95aa3ce7b85f50519ed36145da47ed570
SHA256a696b6dc108c7d6e3b417ae5e4f577872947269a1a6d6631e48091b903f35e1b
SHA512162b2b2af1d5a3f03de04eaaa2eac076dbcf7c6d743b134a0ef092bc5642ace26d040c535fecac1340f07bfba7dfaa4b748672e02e5299d0071c334c7139cf4e
-
Filesize
7KB
MD517bd146b1c25982a02c23d5d77eeb350
SHA18192b4dcf4578b44cca6d421022b2a018c301e39
SHA25641495452a5ffef73bc2bf147fea4db92a0859a1992bbcbdda77819d2314607f0
SHA512b7acdfd5d700ff92e55875d723a265025b1601d54b1ff39524cb345332b55893abb8b95dfd0867b7fcac64424c4486f108516c8452987bd1ed2d38e736654c34
-
Filesize
1KB
MD53ebc2927e073487fb76673c56a09ceb0
SHA16bcf746233090b24a19a5fa13868bd22b35b3a75
SHA256e5f3fe1201293e98b5e4fd4fb37b41187152e597731c6b6e718bca0f580942f5
SHA512545ef22617205892fc72e63c86dc1bd7ebab0fc9a4ab5b631f384eee4988004d3da3d62982626281934835e3fc14a93484f7d75b3fe8bbddcadc4814d15845f6
-
Filesize
1KB
MD586528c466169d7abbdbac52f2e85d989
SHA19eb6eae8fbb1f89f15e5c07c1b187876317d485e
SHA256ed1d76c94ad3f4dafc81a4734f7a41255af24f83054c68d2d8fb190296ab16a3
SHA512fd76b596da8ff1adec9b014c09f7f82803b0c89c1495da383580c00a3c9baf9b6a15638be922097f913f9030e285eb74304c3fbe9ef50941c17b87e10815d2fc
-
Filesize
7KB
MD52a80d4ab30291975270f0cae503db585
SHA1726b7c6bd36f356b8e621576b54e970489a56bef
SHA256e307ca0d8febcebf488a1afcabd549556d03df63cbc883c80c1e011f22a556f9
SHA51265f0e207f3aa9395f0b5a17af3474ee9eb7cd1acf95ce91f58ebf6d6f7aae1f5dc4f5a4af17dc22aaa5a96037364fae096abdd11748391da9d1c89be20176342
-
Filesize
1KB
MD55dc63a512fb3801a0fdb7839d0bb169d
SHA14d0060195a94aa561c2500fb4ebbfc9a5e02135b
SHA256001c38234ef82c75a813a76adfcb372af1e0e31e341924f698827a6365334107
SHA512ca45817196810a26cc56cb1efd32811f54335dab36bebd185764850b494f4a0749061f5c96cf92b1ab65d0b153039e55769d3d61144d68756fee273a42cdc405
-
Filesize
203B
MD5cde5acff546939ea7367b47bc2c00950
SHA131150f60ed114059e263042eb606aa30a47e1b30
SHA256b9bd73b12cb1d9b5d2a1fa5fd3e709a04afc6c126bd5762f86f8c1d3d1b362a3
SHA5127ccd138771575b7facce351e5e0a547893e78e9670bf5a49780a972b18bcb7c32fdfef660d00a03b6a11d175cee483c775a5aea83a545f421c610c95b92b268e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD5fa2bce047c2e597966bcdbd8b63ee4f2
SHA14e449ae1508dea76091b8eb192dc8d89cd1ebdfa
SHA25647f0dd66c66f5efa8b867567b247679e27ef70a66490cc7fadd7e9405fd5ee7a
SHA512f15c5e1a7a562222ad2d3b00c12d64b3ffaed40f68851fab1a70fb0a814727a0f6f4f65f31d88aebb5ec26ea2666b91d0e6c1ca5b24bb030b5518a21c90df539
-
Filesize
11KB
MD501e2b4f583bf9163a10928b761bdc2c6
SHA1c782d73c8e9c095408277c2b55f1873176abd54a
SHA2566be72ec729b17b83d27a17ee97fd28563ba67ef463ecc380714af8dcf792319d
SHA51271a3bc6a7e28fcb84538f13eb37e21f884705fb8d485d6c8f24c6c3f619814ad0fd44b4eae3672fac6f252c69de617af7869656c6baf3745352b346a2abcfeff
-
Filesize
12KB
MD5650829e80123702e68ff62c952392eab
SHA18cf5ddb577d24b531291130e71cb0538f37aced3
SHA256f21bd4b65f04cd7e5c9be0cdf1569f113ff8323434ba0fd31b13bb2adfe025e4
SHA512531c998e5a7427598737d48eb74205accb1cb7f835465b191600f16288e8439a2911a67f3790741ab62bcb14be70768d472c6968185b1635b04546c2ffe50bb2
-
Filesize
12KB
MD5f90a0985a054c7b891dbdc57041cac91
SHA1341fbf11cda2e095dda4d472368d8eb3ac6298b9
SHA256234896f3739108d0da012b1f9771044a1dacb94815e8297060a4ad174cc7f200
SHA512261a2f161288cfedd9f1d0f25da473cc428bfe402e58a6ff49cbbdf4a39acd8ec05de3aecb26ddff5ea38b876f83ccb1065225317ec8da993794e0e36ff3429b
-
Filesize
12KB
MD578a599b4d2828bf4cf2ff3a8f2d39bb5
SHA1864006e3b65d268ded0ff80ca3d9bd6900128750
SHA2567c448996eddc406ec61fd709e19919f0f9ba1b65b593388d7617ad2cce4e5755
SHA512cd72b611e70fd422f57e48a502a7014ec3a5d6058a754f360c7d67585211ef3bb58f6b69947eb345dc44293cf4f5143a2d3bb1c9bc6ef7367cbfbf058f8b2436
-
Filesize
12KB
MD5f2e16f491914e5868e4d26b627eb8635
SHA1f83972a687673febeea1dc48c5cb8bdea272ad7f
SHA256344531babc85928fcdfb5c2a00c29b259eaf0becc0c1b02f95cc3da3f9eb72c3
SHA512747ab2e1cd013821956fda5aa938ec0f4ee2130a5c2d51565db65ecc9b2fd74c7e52f4b0afc0ab79e33e5e84c49ddd1ac13a8b9e49e79e11ff365be80a841b12
-
Filesize
16.0MB
MD5d9d53a0a7460083d74def37472ab5584
SHA198a0488f9cb1ba4cc46b882ff18327af59ddc07f
SHA2569170bba1ad3e364b90a65b76c0e176f4b0487d29688b0f74c5a5b11d2f032c80
SHA51217207af7065fd0cc48c41e80bf175d3ac28de24c55514d50f8ee55b90dd1ee866ceff3796b9c70cb06bf63adb2a6076a3d95fc1bef9457bf66019e48212b1e56
-
C:\Users\Admin\Downloads\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
C:\Users\Admin\Downloads\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
2.3MB
MD55641d280a62b66943bf2d05a72a972c7
SHA1c857f1162c316a25eeff6116e249a97b59538585
SHA256ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488
SHA5120633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
889KB
MD5ca57530243c381d9154b22cea2b3ec68
SHA172dbcd84d9e26085b89c674397d8f97238d846d1
SHA25691711348506ee7d327f16060d3256ce845474065a36b1b624ce390e0109fcea5
SHA5120580b7f3454cea4fa54d23587c39c8713b060149b2e65bcef874bb0050a961256ce9db7b997d0ee3e98582151c8227a5370a1c6842b4e978a540bf9bb2461920
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
313KB
MD5fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
116KB
MD541789c704a0eecfdd0048b4b4193e752
SHA1fb1e8385691fa3293b7cbfb9b2656cf09f20e722
SHA256b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23
SHA51276391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
1.1MB
MD5a74dbc8fc2eeb7775a2384c7c0a3951b
SHA1870256723b2f60d23cf1a9dcd6f5ddf799dd2978
SHA256a09bc66ed2a838a7ecf0a35e8322d3e0433bac49462cc4756f2ff83e71b46a00
SHA512dfee4aec598142ccf6f71ad396ed69501241063d4c7b2bf016c097d52dbf3a40c35744c455cde8ed64ec39eb86765d7c333d2aa63d36e31d4dc9c7a650f99816
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
Filesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
Filesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
Filesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
Filesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
Filesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
Filesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
Filesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
Filesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
Filesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
Filesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
Filesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
Filesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
Filesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
Filesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
Filesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
Filesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
Filesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079