dharma | hxxp://ii

Analysis

max time kernel
735s
max time network
737s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ii

Score

10^/10

dharma wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (520) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	msedge.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD222.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD229.tmp	WannaCrypt0r.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 64 IoCs

pid	Process
4928	CoronaVirus.exe
60	CoronaVirus.exe
27180	msedge.exe
22656	msedge.exe
16644	msedge.exe
13980	msedge.exe
15340	WannaCrypt0r.exe
18948	taskdl.exe
17728	@[email protected]
18904	@[email protected]
21684	taskhsvc.exe
21068	WannaCrypt0r.exe
18460	taskdl.exe
23068	taskse.exe
21084	@[email protected]
23304	taskdl.exe
23264	taskse.exe
23332	@[email protected]
23404	@[email protected]
23408	taskse.exe
23420	taskdl.exe
12452	taskse.exe
12432	@[email protected]
5024	taskdl.exe
3048	taskse.exe
3036	@[email protected]
10784	taskdl.exe
5312	msedge.exe
5300	msedge.exe
4568	msedge.exe
5492	taskse.exe
5516	@[email protected]
5520	taskdl.exe
5592	msedge.exe
6420	taskse.exe
6432	@[email protected]
6504	taskdl.exe
7336	taskse.exe
7332	@[email protected]
7284	taskdl.exe
7780	taskse.exe
7772	@[email protected]
7828	taskdl.exe
8036	taskse.exe
8024	@[email protected]
8080	taskdl.exe
8628	@[email protected]
8612	taskse.exe
8648	taskdl.exe
8784	taskse.exe
8828	@[email protected]
8808	taskdl.exe
9084	@[email protected]
9044	taskse.exe
9092	taskdl.exe
9244	taskse.exe
18392	@[email protected]
9268	taskdl.exe
9376	taskse.exe
9476	@[email protected]
9448	taskdl.exe
9560	taskse.exe
9548	@[email protected]
9584	taskdl.exe

Loads dropped DLL 15 IoCs

pid	Process
27180	msedge.exe
22656	msedge.exe
16644	msedge.exe
13980	msedge.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
21684	taskhsvc.exe
5300	msedge.exe
5312	msedge.exe
4568	msedge.exe
5592	msedge.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
19124	icacls.exe
20720	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rqfwisumbnwperc568 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
102	raw.githubusercontent.com
103	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.INF	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado26.tlb	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader_icd.json	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaps.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\THMBNAIL.PNG.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\MedTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-phn.xrm-ms.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Entities.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Controls.Ribbon.resources.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es-419.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\librtp_plugin.dll.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js.id-9AE36226.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Contain.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png	CoronaVirus.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\2229298842\4107406817.pri	LogonUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
26828	vssadmin.exe
26564	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 0992616043d2da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{B5C15B15-2A3D-41A3-9D18-BB45CF3AE79F}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C48D7F6C-42EE-11EF-AF84-5EC22215AA79} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\敲d\ = "ncov_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{218F8F99-0FB8-4405-9557-B6135A96DC45}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ɛ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ɛ\ = "ncov_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\.ncov	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\敲d	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\.ncov\ = "ncov_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\ncov_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
21064	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 430012.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 408146.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3636	msedge.exe
3636	msedge.exe
956	identity_helper.exe
956	identity_helper.exe
2032	msedge.exe
2032	msedge.exe
3044	msedge.exe
3044	msedge.exe
4888	identity_helper.exe
4888	identity_helper.exe
4768	msedge.exe
4768	msedge.exe
4124	msedge.exe
4124	msedge.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe
4928	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
7952	OpenWith.exe
7332	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	26704	vssvc.exe
Token: SeRestorePrivilege	26704	vssvc.exe
Token: SeAuditPrivilege	26704	vssvc.exe
Token: SeIncreaseQuotaPrivilege	20364	WMIC.exe
Token: SeSecurityPrivilege	20364	WMIC.exe
Token: SeTakeOwnershipPrivilege	20364	WMIC.exe
Token: SeLoadDriverPrivilege	20364	WMIC.exe
Token: SeSystemProfilePrivilege	20364	WMIC.exe
Token: SeSystemtimePrivilege	20364	WMIC.exe
Token: SeProfSingleProcessPrivilege	20364	WMIC.exe
Token: SeIncBasePriorityPrivilege	20364	WMIC.exe
Token: SeCreatePagefilePrivilege	20364	WMIC.exe
Token: SeBackupPrivilege	20364	WMIC.exe
Token: SeRestorePrivilege	20364	WMIC.exe
Token: SeShutdownPrivilege	20364	WMIC.exe
Token: SeDebugPrivilege	20364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	20364	WMIC.exe
Token: SeRemoteShutdownPrivilege	20364	WMIC.exe
Token: SeUndockPrivilege	20364	WMIC.exe
Token: SeManageVolumePrivilege	20364	WMIC.exe
Token: 33	20364	WMIC.exe
Token: 34	20364	WMIC.exe
Token: 35	20364	WMIC.exe
Token: 36	20364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	20364	WMIC.exe
Token: SeSecurityPrivilege	20364	WMIC.exe
Token: SeTakeOwnershipPrivilege	20364	WMIC.exe
Token: SeLoadDriverPrivilege	20364	WMIC.exe
Token: SeSystemProfilePrivilege	20364	WMIC.exe
Token: SeSystemtimePrivilege	20364	WMIC.exe
Token: SeProfSingleProcessPrivilege	20364	WMIC.exe
Token: SeIncBasePriorityPrivilege	20364	WMIC.exe
Token: SeCreatePagefilePrivilege	20364	WMIC.exe
Token: SeBackupPrivilege	20364	WMIC.exe
Token: SeRestorePrivilege	20364	WMIC.exe
Token: SeShutdownPrivilege	20364	WMIC.exe
Token: SeDebugPrivilege	20364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	20364	WMIC.exe
Token: SeRemoteShutdownPrivilege	20364	WMIC.exe
Token: SeUndockPrivilege	20364	WMIC.exe
Token: SeManageVolumePrivilege	20364	WMIC.exe
Token: 33	20364	WMIC.exe
Token: 34	20364	WMIC.exe
Token: 35	20364	WMIC.exe
Token: 36	20364	WMIC.exe
Token: SeTcbPrivilege	23068	taskse.exe
Token: SeTcbPrivilege	23068	taskse.exe
Token: SeTcbPrivilege	23264	taskse.exe
Token: SeTcbPrivilege	23264	taskse.exe
Token: SeTcbPrivilege	23408	taskse.exe
Token: SeTcbPrivilege	23408	taskse.exe
Token: SeTcbPrivilege	12452	taskse.exe
Token: SeTcbPrivilege	12452	taskse.exe
Token: SeTcbPrivilege	3048	taskse.exe
Token: SeTcbPrivilege	3048	taskse.exe
Token: SeTcbPrivilege	5492	taskse.exe
Token: SeTcbPrivilege	5492	taskse.exe
Token: SeTcbPrivilege	6420	taskse.exe
Token: SeTcbPrivilege	6420	taskse.exe
Token: SeTcbPrivilege	7336	taskse.exe
Token: SeTcbPrivilege	7336	taskse.exe
Token: SeTcbPrivilege	7780	taskse.exe
Token: SeTcbPrivilege	7780	taskse.exe
Token: SeTcbPrivilege	8036	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
17728	@[email protected]
17728	@[email protected]
18904	@[email protected]
18904	@[email protected]
21084	@[email protected]
21084	@[email protected]
23332	@[email protected]
23404	@[email protected]
12432	@[email protected]
3036	@[email protected]
5516	@[email protected]
6432	@[email protected]
7332	@[email protected]
7332	@[email protected]
7576	mspaint.exe
7576	mspaint.exe
7576	mspaint.exe
7576	mspaint.exe
7772	@[email protected]
7952	OpenWith.exe
8024	@[email protected]
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
7952	OpenWith.exe
8152	iexplore.exe
8152	iexplore.exe
8256	IEXPLORE.EXE
8256	IEXPLORE.EXE
8152	iexplore.exe
8152	iexplore.exe
8448	IEXPLORE.EXE
8448	IEXPLORE.EXE
8628	@[email protected]
8828	@[email protected]
9084	@[email protected]
18392	@[email protected]
9476	@[email protected]
9548	@[email protected]
11380	@[email protected]
11840	LogonUI.exe
11840	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4128	3636	msedge.exe	83
PID 3636 wrote to memory of 4128	3636	msedge.exe	83
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 2944	3636	msedge.exe	84
PID 3636 wrote to memory of 3888	3636	msedge.exe	85
PID 3636 wrote to memory of 3888	3636	msedge.exe	85
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86
PID 3636 wrote to memory of 2484	3636	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
20664	attrib.exe
19176	attrib.exe
18764	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ii
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef3b446f8,0x7ffef3b44708,0x7ffef3b44718
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,1764691535587669879,13480556373939705920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef3b446f8,0x7ffef3b44708,0x7ffef3b44718
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4928
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:768
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:14644
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:26564
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:26872
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:26672
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:26828
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:26480
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:26524
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4388 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:27180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:22656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1420 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:13980
- C:\Users\Admin\Downloads\WannaCrypt0r.exe
  "C:\Users\Admin\Downloads\WannaCrypt0r.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:15340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:19176
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:19124
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:18948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 268601721077570.bat
    3⤵
    PID:19308
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:19560
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:18764
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:17728
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:21684
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:17712
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:18904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:20488
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:20364
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:18460
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:23068
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:21084
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rqfwisumbnwperc568" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    PID:21200
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "rqfwisumbnwperc568" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:21064
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:23304
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:23264
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:23332
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:23408
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:23404
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:23420
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:12452
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:12432
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5024
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:10784
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5516
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:5520
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6420
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6432
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:6504
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:7336
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:7332
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:7284
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:7780
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:7772
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:7828
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:8036
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:8024
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:8080
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:8612
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:8628
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:8648
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:8784
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:8828
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:8808
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:9044
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:9084
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:9092
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:9244
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:18392
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:9268
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:9376
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:9476
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:9448
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:9560
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:9548
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:9584
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    PID:11308
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:11380
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:11444
- C:\Users\Admin\Downloads\WannaCrypt0r.exe
  "C:\Users\Admin\Downloads\WannaCrypt0r.exe"
  2⤵
  - Executes dropped EXE
  PID:21068
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:20664
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:20720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3689100685220072781,5684077211501577962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:26704

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a439406eef8b4527b1ed5d209d3d4b2b /t 26528 /p 26524
1⤵
PID:27100

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\25e03c91101b4499adbc30197fa93a0a /t 26484 /p 26480
1⤵
PID:27440

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c2b60a7154cc4c2fb6676c8c6b9a87c6 /t 20624 /p 21084
1⤵
PID:6528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\@[email protected]
1⤵
PID:6804

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:7576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:7680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7952
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExitProtect.xlsx.id-9AE36226.[[email protected]].ncov
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:8152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8152 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:8256
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExitProtect.xlsx.id-9AE36226.[[email protected]].ncov
    3⤵
    - Modifies Internet Explorer settings
    PID:8380
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8152 CREDAT:82948 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:8448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393d055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:11840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-9AE36226.[[email protected]].ncov

Filesize
3.2MB

MD5
919e21485e65b67caf813ca04b435852

SHA1
bc42c0e1654642ad7bffe638b5ea94ecf4ecd92d

SHA256
26eb47ca687eb659c48d8d129f8d02bcaaf57401ab5de538abc2cf9cde3496d2

SHA512
d24a2ee0c33402336a80293069be79eda6c57fc8de4b2e33a1303fa8a1db53d7b359b396c9f8186fe9f83ab682388a86ccf922d8b5fd643b22497a1c40eaec3e

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\@[email protected]

Filesize
585B

MD5
3caf73ff681e4ede14a13cc5371212ea

SHA1
161c4a214983c63e03a1d73a4a3f9b640295351c

SHA256
b75ea3a88ad34f86e3a78a3fa369b0b96070e5b74af4ed34ed2334780292bbd1

SHA512
c85e1e258da99ba124917cdff0a8403c19f4151ef744cec5083ee3077827f763d5b3f918e9132339c02a9eae9a8199ec3b269073223ff3f94315c8cbf086f4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aafa8276543378489a8589cfee1fd302

SHA1
525350fc947ccc0a136cd8a16e251bc9b022b81f

SHA256
68a7c8735fa7eee66efe863a7062d183c772b34ae246989f756090ee8a7f40d1

SHA512
1595b8b67506aea4e8e0dced628c4f5238d81c358230c918b507108a4712551eb5677966547e78c4dc45552581e872ea2863f5c2e907f8a42dadcbe6ddf2afd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3f95751c7296e92ec003a25c3d552237

SHA1
e51268ebd8ee09928723d70c4152c4f6b2fcf7e0

SHA256
7729bd5e89d7703f10de5b5c93dc1be9711ef65837f1f7cbf309ad0fba75b2ae

SHA512
df086a6bababd185cee5d898c42e23bb3bb1f349ae8cf2140e9634b2c6f653601095602eafa7f4197ca50e84aec5f89384c98951172b2e629ecb2f4f7e154b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9e686a37-5b55-414d-9633-59b34217faa0.tmp

Filesize
7KB

MD5
8a51e83fb6b9d01535b2554d9868ec87

SHA1
c6d49b03909a0e3dac69f2357a5bac3cbceb7b5d

SHA256
49e2763d2af5b577ad7bd4897f0b9694d97400944343d99fe4384dba14bf6485

SHA512
7048ce79aa9033b998a15c0a6dc2f82c1f8e4c9bd0b7754a180b8d5ad913cb9c3f9198fa7edc7059f1a9b3458f896899a4624c35eba2ef2485d60704ea8456af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
f83bc9382ae42f572f8795aad8758e68

SHA1
4e09f0ca621b52712a95ca1521b58f17c797c346

SHA256
978a0122354a973d76872769414ad0d59873cfc5af02b258621cc635783a5bf8

SHA512
0074fe1a86d9e6baccf706b8d0b4618807a0b5ca08cd6e77fbf203a39ff56f73f36fa6a10e3f991cde33c4460cb08c2c3ed184db03b0e213c0b1db045054ea91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
a07b069fd63577757abaf8acb632510e

SHA1
86fd66e6be4550ef713028244c45337872e7fb15

SHA256
ec52df72a2710d7951c5d54503babe741369cb2c9887c48410b7705d731cc7bc

SHA512
4a7c196ceaaef44172fbb3db20055583c3dda935d070bc3a7fc38f93d3ce49435c0541fd67d7a3439fd558b93db5f8c784eb83ed847d916d239de712785002ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
41KB

MD5
de01a584e546502ef1f07ff3855a365f

SHA1
60007565a3e6c1161668779af9a93d84eac7bca8

SHA256
9ed00a33812a1705d33ccf2c3717120f536e3f4e07e405539e1b01c5a38a14ea

SHA512
1582b69b40e05bad47f789e1b021cdd5e3f75548a39a99e0db1b15138425e530e25ce6e56185b1dfa5f51758d2709e52d53f309da2e662ebc34c8d4974ab6469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
1.2MB

MD5
c71e53854f68266b9b7f2151cfcc5c32

SHA1
356fa2aa7d9a8c7585d846fadde297d33166ecd6

SHA256
ba4913f000f60e3762611198396ef0bf07204cb4381a74d83328e6369eaf39b5

SHA512
d261f7efb5490d0e9e11517d1e96d8d090bb0a64584565afe335ab9becb54f399e5eea088156c999004b771f4cabaa107256822bc1c4085194a35744d7915270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
18KB

MD5
34e6cfae9b4f41df8daae9016a3feb5c

SHA1
515bae305fe1232d44731ed7322f0b5be385695f

SHA256
453fc81af87e6faf1877e18d4898c42d3b215d4e0f7f27b4d093c9195c790933

SHA512
e79af7a85f196ca55d5a9215b0acdeb2e928946b5a0fdd43adc136381e2b1360a3869b1c539b97b86b98aaf55008f00d117b4b0f3adb8532a5fbe7e7afe7adf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1ec93f3809af2e5a470408ef96677870

SHA1
9d34eb0a745deb1699a6db353bbcaae879d925f8

SHA256
e2394e56e6230e1258b3eb7fca5eea3a751666e40aa26f5381670b2f0a6eb7da

SHA512
5b6b6a608b9aaa0f3c02186c5585d11b269cc5867f311f0169fe4508e9ea02e097c64a9c6357efb828af22acb50b2fb66c147f9026b9cb14763f866525ecb3df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
f8b44124d84234900754205a5f050c12

SHA1
20cc27fd312753870de4236a5e658e1f73588ed3

SHA256
35d3cdcad33de8549579d8d59581dfa6a5bebbaac55e3fde2097ba70beabf484

SHA512
d34d2c83f2a9d4eb0aca84f88961b53ff65fb26929897bb21c4b201235e228d4b942a477c1e04a6011fb22b6ae4592976c0001cfae7497d6be4fb44a5d6e35cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
d698f5c3bd975470e514bf364acd3b56

SHA1
b1be360461a6ee8cc1f17e2ce8442b9ca3c03e02

SHA256
e89de1150252cb1d77397a45b1345fcb57058a567355e5e2c5055bde3595e2b0

SHA512
7ec12d30fb99561f12584e3790db7a80f40d3d1c897a379023c677965d7b15b1c9bf34f13db5b3be03645b85835e297470150fa9a84c553536485a377d689708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fef1a1da2087d3aad9457a33804c5b1c

SHA1
12e973469591e055400a84243e4e363e85d5312e

SHA256
75db2ad7dff644fdbe2f64346c0643cd869d44f4e8c2ffe21673be3c24af88bc

SHA512
e2d80c4872bd18eeb89e5a3165396f38c0a5f061dd5544f2b0a56dce99dc396d6b689d1c73f107e2cbc821a367e9b690da388c2106195ebe2b506c668469fd80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
48ab190243b8c83ef6e029e5e1a9a5a0

SHA1
ff4963f64fc7ee2bde1b4fc1fec8c1f3bf1a3cf0

SHA256
abd6d871d48b0497148f3b0ab06b8e121b722f6868e2b01d9c83c497cddfe03c

SHA512
9380fccd51b0f95ef99f0274636cda13f51bb3548dab7d161619ce3a55a99c7b7f6f926e1034617a3a48ac41f37442e860e2d0e5391579bdaa8774010da8f6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5e7f7e.TMP

Filesize
1KB

MD5
c95c2934b54774c31d5bf13a69c69a43

SHA1
202bf32a4f69a871aeb70953283a13a48fbaa9ba

SHA256
3707fa9a9839ffbbce5437e2c88e0c3c66264ee77a6352f2f9e79c5705076660

SHA512
27819f0fdc61c835dfeb923c20e455b993cb185587a09cc1b858bb7acac72cbed796b0c50dc6918c5b9d03653ccab1e7769c0378106616e1d3707a318c82c726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e6d1691a1ed9491bf856c7d1271266f3

SHA1
0729c3bddfc2e2443199ac1bd9f6efdd82779af4

SHA256
eef94d9f17a724617716b2d9cd4d9c6cf773f5d67b6f32bc03a99f7a8422c767

SHA512
1ecb903a9cef9c589945ae26830203086b5591a8747809ec1f3ef1261f0f9a91737c9dfba7c6c42e040ca367c1c5dcc294fb437028a2aef70788838b7f78625c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
263aa4b80cfa7308f4c19f815b7485c1

SHA1
ff89b72dc324bd382c301c571fba825e1b9cfaf9

SHA256
f32f9e42d71bb5447ba8b2b03213c7128d21ef996cffd8edf2d0ba46b0990bb1

SHA512
77530e44b6526447212890fa61ef50901f2a92080ca381943daf0ec97b845974c613cbfb755ac22f0d8ea964028de12e205392dca0e54acc37fc751c57191099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f2621b315c65a8bbd561627ae6bbca32

SHA1
bcc2ceb54bcfe6135da52dfd32b2a89b183d7902

SHA256
68beaeeff5a90ac94aa5dc449f075282916b88a963a147dcc0d66b9e6cdd2035

SHA512
6bb5f64a1567d9f4a6999272eb8ffd607ecf5266a903de5755acdff0bf8ca49228347d811268ba4da8459ddf55cd857b88becd050224a67cf1032511264184b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0af4b502525a10e7a523b610c18ae92a

SHA1
b534dcdb3d6d7ed1fb0af0af89fe7e5bfe3d3eaa

SHA256
2012b5bf5fc8650bd806a0d71284d7eba0c3e44826679296481edc4de19bf082

SHA512
7ec92fb5cb023af1d60926f2eeed89a6af84ec461c817e3709caecab187aa13151210cad418bb8c8da7ba95aba952874382c34ad2fbbfc2aa807d1fe0a6d0e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a01abf3a53334a73b349b6be1668a9f0

SHA1
142942157993bfb3cea64f059ab04a23ae9ac40e

SHA256
6d9336c44261fc66f4ee30532cff75c9a660b8adae575310b7ec74b2ba271b4c

SHA512
43b83185bdaafd1b833a7adfe27031a72724336d520d6049711a9d5c5df6cff2708f125cb9450f7662ac1327c8cb9ea8f42fa0f0d5caa38069d911564fa1ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
279679dfee334fe3ec2cb32de1fb99e0

SHA1
d289a026cdb71169a459d0550234e33d78d20347

SHA256
fce1e6e97111b8020724ac2e516ef3a4b41aaf1fc0e3d013eb1f66b78d2dc8e3

SHA512
fa24df0f197a97c43b8e99f6169c905bd7bc850500284003c883e925429cfcae75145c613fa20c8a06828685bb7025953d2053dcb6dc54c4b0586df053a6cdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
317bbe7f45b0fe8a2cb59d898a8daaac

SHA1
8432bab20b953859b857c9d52ac261b2323fdad2

SHA256
66446be327e2ddc6d69010fce4ebf8866bc0b975ad7e105edae3b3b6e69a730b

SHA512
64cf753d38974f3fb170dd8cefb6c029a436d057585b00aa9a8836684e3e6cd5f83c0e8e062f1291771eb08a013ddc5e13ced1887a351debbc5884b175d7cbd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f238c72f6b8ba8b8b18e5579cae07c42

SHA1
15795250a3631fc222fd03c5cfb113a2d7d32dd3

SHA256
48201483ffd1ec16d844133fcaf395d2c3f5da2c17ef88764bb064526d038779

SHA512
5e0b302aea3f0e5deb409c6eba94006532ea89200088f68204deb9a5e5b1e2a7d0c96915b1693ff00bcdc79514ad1725467bbc2a75385234299c929b33bf7af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
502d6b493fd3eb494f650911ac1fd26b

SHA1
b36cc6727ae69c15d435f8f6ee784932506c9ca9

SHA256
022cd6cc54fdd1454d701ada7a7c163060789e9410d5091095bc31312da94c84

SHA512
0caf064d3713a7dcd4a3d1484819d3fe59123321968492cd716a7564770d6a85e5bcbeeb0af2965d3ab20768ab145ca6d5e4d0ad930a19181957b70d6a58e22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b022b98e673454e86ba59f781f30e591

SHA1
2efd24e267786d33b9591fa3dbf0876b0792cf5a

SHA256
f071051d4d6a4ed46289d9b8502015a015c5aa71324724877326f31db853bb21

SHA512
dd09a07ec4ac48c1ea6b8d52a6ba19a3db3db090bb3733bb41c0e4531a9f6bdaf36d43e01eecb97680ca312e37f53d0bf8402740591a49a4e2bc327dba7084d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
e8df313fe6c56b4e5ff4e0d41ff0aec9

SHA1
bcaf5044788499af1eb4496c20b2d60e66e8c9bd

SHA256
4ac3b9f8a4f0acd8596cc28ac9bcd08d22a99653f4e55125e5e92b8ded479819

SHA512
c98968f428d6442740135335b276964e5dc72e568ceb27cc819102e3244203efbc24b5bc97f941e8287669b1bce4aed7f514fe074462a2daaaa1d294edd9a1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13365550957229745

Filesize
1KB

MD5
5a51c99e44b6e208de2e65bba0e76fa2

SHA1
3efc3ba7c6763518ab30914f24ab70295bce70be

SHA256
5530c0c5ed0218385f954ed39f4e222d1d14204e45e8804342b3cd31e03e3930

SHA512
fab08f5f2804715cd1bc1dfdfc8f688d35533fc685a4c73284621513deb33e839deae9255231e8a093af3d41a98694b808a98aa0252ad834631305705b95efea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13365550957515745

Filesize
1KB

MD5
35e0788ee2c85faadcc590dcd016f86e

SHA1
8f5e231af350f2a47d4a98ee73788c8690a8d316

SHA256
7b4ba86eeccdb55ae468f5a3b46dd6863ea6b8df945b5223ef5ce2b730911f51

SHA512
7cfa81f838bfb70841fdf5157614d4599e32bba2990b0ec43816c611d3be7230132d0ea64a6847a6c4a2a9e211326a753d89d9e773355d6ce7366ca9f0a68f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts-journal

Filesize
4KB

MD5
64f18ef8bf1379f34bfb9527d2acc252

SHA1
6e83c3338dff7b4cc7bb7decefaeb324d71bed0d

SHA256
cc660aba74158dbac6d408d8854a52e030001bf31059879ac9b5dcaca1b7744b

SHA512
732f3a50537cbccf050165932d3487814e6993d44f44324b17110ad6fdff1b2cb2aae4be35787ca6b425fab511b63431e5b7149d4682d5dd1ee5abe19bda72ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
24794c0ad51b414b686377b63873e730

SHA1
33d7ef320d2e76a29f9ede8fcb2c45869ffac8bd

SHA256
a57ac0c6e5e987a7f5c8b5ddfd654e8afa4d5c42cf80e91ef26b64abb1caa111

SHA512
46279c9d6034b681dc499b7e403bfce318e74522c0d415023a822b4f94306d38c0c3d2fb1e0535b70e614b540898bfe9e585d617da287766b037449ace816781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
bd74bcaae73392d45ba71a8ff99ba92f

SHA1
a09578492733c7c99cef3ba348ee797f6ebba1a9

SHA256
7b3d8ab1cdfcac05a9d48e846fc2611bd05fb530572854573b8e42e6b1c037e5

SHA512
9ca6ab403eee350e24fe63143d84706966d345237ed1c3c7a5ddbb4778a2e8a9092509110b6047ddf2006b53716e1fde2fa5e4f0ddcd327b09089d67cf287eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
643544f928ce5df3703efeef5b3ef864

SHA1
6a0cf5caa0d6e936c02089488c0a02aa50f8b09f

SHA256
79ed9efdda04e619b4e0c81bed124a05cb13c5f8757899b540170fec34ed4c91

SHA512
a3096b3a4a42bc392b317f6eac19fda389f426a15745eb9d39a9688957a8f2058f2ee416608607fe5b34642ccab70a4950ecfc35566d4c1609bae904ffa3d793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0395d0455e91dba1be78b9680a1e4da

SHA1
0cefb4936d64650d84f76350bf03631f00dc0406

SHA256
91584ea306edeeb4a211d8fd755659d6a024dadce054d742111316abd744dc89

SHA512
b0e255d0afb9d6a75cd591a0785d4701042d95f200b8cedc6b0a801f028c0dfd55002f58e476e28f956ccabe0aeaa6a75b99335906576ae505bce0b94c1f17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61368c566cb217fb9238e26d2060e10e

SHA1
6a015143eaaff498b2378972f00845e07a7d5800

SHA256
e698cfc6653a4c334b6fb6e3ceb837d76558bffbe311bda5217bf42537994c8c

SHA512
862ca88f75254ae215f371806294efffa0938ea71c71e92c1a3151f8a9acd8a1aa00266b3e8a167b6d3d071836f549a4b77a3a02612b2ab729b49832f90f94c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8e0e8110199f9eb15426ddd69e21c92

SHA1
db4ca30a42f2cc01c59790742ae98e4d82709b22

SHA256
c99bae865f30cd895e0304a4aa239441aaf53e04ffdf1a4db9e8147af5fa492a

SHA512
e62665256c56a9cfb97a2d0553e0a20a77a5e7d41111921756bee6a4854c738783f85d40c846bddbfb3f83f86177b9759c25104438e4e1806cda0daead9407fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d16147453f3d3a72f8a30e7b396315a3

SHA1
0fd3aa7a8e72272c319601f260456cd9dff8ca14

SHA256
4f7704d422767e482102961def46946cecfd67bb60c6861bb721cb328175ee73

SHA512
a24b73ff1c002b648a645c43c70969ce3272d54d48bc51905e94fd55c69f96b259597629d7f1386452d7e742124bedc1789d5eb8aea245d6d2b0077c6d3f92ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
583247dcbdcf2822db82068a1bf722fb

SHA1
630dadadb704eae5edabca1a4b8fb260229aa28d

SHA256
6dd653330ea9d6c5251dfb0548982f619898b85c4d4b84a51781adfbaa71533e

SHA512
b920fcf7e20075190b9a679dc3293cccb38979840b1e7ba747c052ad879dd7902f0dea344ebdfa04bbe1feb639006cd342a27ed9a05dc0fe191c9a868b8eaee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad0d44d7fceb3f2e11c5226265f19a57

SHA1
f219d496e40a9af1ff1e478a365fec5c4e607e1d

SHA256
e70a807f5107331f1ea1d4928d6e035b3a93bfb22491cd1f950acbb693c46dad

SHA512
76bc95786f4116b9dc4e4cc02a0f33584c2a55e913f35fe45c675fc290659fc9f352c139316e94f72e6c1f408f50c890f2c319943b5f2d5a7b4d91eed3dba96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5844b5.TMP

Filesize
1KB

MD5
9c474ef5f7e316ce01240e688b368d16

SHA1
60efaa3b91932f8c49fbbdf6a84accf37abe24ca

SHA256
47619ce5d7fa949e3dc19fca3e079a404f9589993923b9203b1d3b1fa6f81d92

SHA512
ec3b2689190c39ac4ed4ccc545bebc18fe17930f5ebca7be0f7074f35583d8356da52aceb18e760b849e2add15907850e8565f2858ed5b09295d8fb812f10c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5af454.TMP

Filesize
1KB

MD5
35525784a81574226999c07099308fa1

SHA1
2c091b2889d249f8ec719c89c36a525e9bb5e5c4

SHA256
ab3befc9cc75d8096ddda132284858ecd5780b2254a41747930f6650fa80f6c2

SHA512
52aed3f5ce9cee78eb1803e687be06f2550d100c7ca697361c19b9d23c80e2494dcb0e4032c9cf286e99d23ab73a6149e526e1c1465ccc8b4130b384903644a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
5fb3df6580bba54b8afd899a01e5a5cc

SHA1
d778d5634383ba948577591a6a90debb3eea0b54

SHA256
29eb64d3caf77e703e48550c4ccee3eccde21dfac62eda2eb85320add5d385c2

SHA512
f0cdcd9898622e8289462537ca1c3c5b1040bc1b2cd74abfd1de71f5efc305c37d1999c83aca8a3ddc41ef70f35159b8e32b6b3ac2545b59d2cebed99d6e7e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
9774edcf0ebc8ecad14713888e2a14a0

SHA1
a24ad966bbbe5d50a06fbf94e3b82f98021ce4af

SHA256
f47b7c9b199919045d76992c163bd19d348f6928cfeecab9a9a6b6350ac2dfec

SHA512
750691524e3daee2416723b5c088a38d62052428d480c655c9e63592627b9035c574f527c83aa4f6a2475721571c4bf97fb38d247bcdb8820463a4881660f809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
57d04a394b495b3a44bf0790810b919e

SHA1
614e7551f8e8fb20960dab4fbd0f934b3c0bcc20

SHA256
111caaaf203145ee1bbc369126f8f48dd236ec7728b747cb60a03055bfa56f1d

SHA512
94d87ff1c615a11dd5429e5067c02f19d385ef37ff1e78f486d648ce8e3496f1e244e5525267cf965e569d94afd55b4f7a1a9bb5b3381e8c2b1faff0b275fbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
9280ab36634321ec02807cca80751e64

SHA1
80da56fac0386bb81796d5497abc212b2ae3185e

SHA256
94c1816697264e57618122c50d3299a5d184dbfaf4688479776410e939c2e74e

SHA512
df3055dbb251ae74d38a14c93fc14eb461480faf7f11b660cefac6d40f67ba4f47e856e7b5460f7a01f64fcf9271552342983c835eeddfba2c8a4d9ce9d2d43d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
b77ec71c14c0075ddba1abb0f067183f

SHA1
289344e88364b158f1db9d6ccfca373667e159cb

SHA256
1d2551fdd90a2011ecf6824c9fe660b792df1a61977c2f1cc4cf3014777faeeb

SHA512
d134c326d12b937189cff76c74fb71163b5d4e25fb7b4890778724846c5283748bcfc97bda8919b5399f35e2c74b1b1f013dbd3919c22a191a82db56b6875ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
65471cb4735c0f2874fb359419f7a366

SHA1
7a4fa83fc2c67c25280e97cfb37aaf25d65fc4ac

SHA256
e18a31c61139bc375bea49c6da7233a300dcfb79acf96a2bdad8374c2a58edbd

SHA512
50c91f76ff51656aecc06fe95ffa883186b9edd0981e24efc9f10ad4eff8c2abc581d2162252eed129e49a08bfef4fb55d1e04566c9d0b5e304df361b17e9228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
da402c485e9819bafe7c3b07e823ad88

SHA1
13def0833d1e045b0327c27110e2a1e8a8a63c05

SHA256
5d6278ec9df0e64a2850ae615a8ec34856f72ccfb8c120f94f62e64657e8f8ed

SHA512
654bd7828fac9ca35d912ec7ba87a27883e6981f75e45e7cdaa5908264c9f04384c2ffa509a72ed5cc116db1556bb94c92ca3aa5a6882823e9424b88744807b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
782f8f42aec76ffc2b741a45c049aebc

SHA1
3cafc806000d4003a95699617c574c2e554daebc

SHA256
eff07df8e618e09f3db3bb8a8d1d7af315563d0746a20c2b38d5c1b126ed8ae1

SHA512
9085201f5916fe3a3d5e88d28b0ca40a83312706d021fd7facff51b1d4bec74d7423d5cb35bdce2ea23391f6f8be9993a9eefb8d53e93860fa642dc7bc5e7d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8f99d73916d75970a074d991b1eca104

SHA1
e2e90cfa022238b83c60049596f2b1db3145f989

SHA256
6c3286e87ce8224e96357bb9f6602b7aceb376a55d13059a7041a5b2d59b07e5

SHA512
918d27b26099a42c4669afa6e46d56d81930e2ccd00172db2ad8aa8a9d66543d370b41667b9524fb18a0c524dbc5eb20e712b56c4f42360e598080e60869e69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
be869384b57c477627c0f6674fa69c1c

SHA1
a7357748b0abc8bc3019222b325586073f07114c

SHA256
4b947cfa5b145bb52431b140cc972a40cf9c41f369d7885fccb7e2263a0be8f2

SHA512
629644787aff77dc5902768676ec6bca0bb9cfd52d4e094ed4cb2ee9555b718fc207e7c04e73ba6e075c3a3ecf6aafde626f586eddc0144961f6c42e49739aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
59515f4add38b8762134d122ab1a4db6

SHA1
604ea1614adde82c4d0563579da2d1bd45fd45f6

SHA256
a328ee4b7d7b879caaa91e10decc29c46bf722bf02e39c16d82ef7285457908e

SHA512
fbb551bdfa189d2ed3f53d62578549bd7b603ab803fb836d119468315fdd33323c8c29cbf39df2d1a46b5843406842e27a37f606d15025364fd24db80a31c175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e3af14de03978e016c00a35225f32a66

SHA1
e7ef9ff6ff759b472e8969b375a3ad73852355ac

SHA256
52de59776bd51dc32d77e3df63e9c2877461d1d690a22c862f870c0432da9f3a

SHA512
cefb149e4c264d3644b8bc60bbef0de66c13718d924a6c302b6426bcfd7a3bd0a097459b5b4993abb62f82b04aa03d9ccbbbd33132eaabecc2200c3b86334a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9614e57c6ea8871cd838b5a20eeb5529

SHA1
3b018d7099c2eee48ca1bab564d4a6590c5b55a1

SHA256
76da2a2539b2dafd85b42d653327a7206be3bcb42462189fd923efe2d8c298cf

SHA512
1423b8b355598f72622abc66fb84d532f050884d37002e1e40e27b6cdf3a00cb7c4ae30493fe1e5f553aa15daf7b015701c56afac65dc92a1e77a503cd776ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5adcb42015cdd6cf1369054df3ab4bc

SHA1
9e7bb143007c3a3b6fe261cdd6b5355bbee5d86d

SHA256
f7b1f66305913045114069fd74d3ba6bb2d8cb12d6b6e9232005e187df20c870

SHA512
69f3f7d0a3f0e82babf926981f6ccd5ad3650aba64cf81814fb7e8719ac63819327b7b1dce044043e1e348bee17ff2902587d6f575238dbdc7edf833a1ba70b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
50daa3bb26c21c90f2ec9e1945145dc3

SHA1
8bd3cee8ffe66d3e6c90ab53a709ef86f11655b8

SHA256
d79207b9e7299bddf3f665413e83f037de86578be19a9adfd96eb81c4ba099e4

SHA512
66742f5f99d7df91cb764da6acc61f19b068941eb2723516f7b349337deb6dd7650cac5d558b6bf1b1b23b097f0b91313d11fcad90f8c99fc46658fb9fd5f284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
9e97cfa98e8bd63ea0d69ee9d0932549

SHA1
42608fc2dc8254dfce0c7ea6355ddb97b0285a03

SHA256
f981175e6def5a6841e2d75eb6ee6da28dc6c4096d617c494bdaaab686223cd7

SHA512
9101be0912760652237bdf95e9856e7f3bbb9a6b77ed2401ac0347571bd7c03e13cceadf4700b54c7dd93435957c3afa7bcfe933d6cc46fe4d42199d4ff5e32c

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
16.3MB

MD5
c950008049b3ea08232869a341654184

SHA1
1e4463a92a7e5d29359b1f7e8e54dc0c9594bdcb

SHA256
ed5fc642de24923049da490bde87e561b1fc4d67b5794ff4b4f47e1e1b540354

SHA512
66d235b075f3a5fba945a8048dc516b080fd7985e32d926d1abd4fce0e04ccd057605f6b6136cb421558d702afcbd7a32a8ed54385c1f73a56765c953402deac

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 408146.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 430012.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/60-615-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/60-5815-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/60-6421-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4928-597-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4928-616-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4928-24839-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/15340-26099-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/21684-26470-0x00000000724D0000-0x00000000726EC000-memory.dmp

Filesize
2.1MB

Download
memory/21684-26409-0x0000000072D20000-0x0000000072D42000-memory.dmp

Filesize
136KB

Download
memory/21684-26468-0x0000000072D20000-0x0000000072D42000-memory.dmp

Filesize
136KB

Download
memory/21684-26469-0x00000000726F0000-0x0000000072772000-memory.dmp

Filesize
520KB

Download
memory/21684-26465-0x0000000072800000-0x0000000072882000-memory.dmp

Filesize
520KB

Download
memory/21684-26466-0x0000000072D50000-0x0000000072D6C000-memory.dmp

Filesize
112KB

Download
memory/21684-26410-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download
memory/21684-26407-0x00000000724D0000-0x00000000726EC000-memory.dmp

Filesize
2.1MB

Download
memory/21684-26408-0x00000000726F0000-0x0000000072772000-memory.dmp

Filesize
520KB

Download
memory/21684-26467-0x0000000072780000-0x00000000727F7000-memory.dmp

Filesize
476KB

Download
memory/21684-26406-0x0000000072800000-0x0000000072882000-memory.dmp

Filesize
520KB

Download
memory/21684-26464-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download
memory/21684-26497-0x00000000724D0000-0x00000000726EC000-memory.dmp

Filesize
2.1MB

Download
memory/21684-26491-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download
memory/21684-26489-0x00000000724D0000-0x00000000726EC000-memory.dmp

Filesize
2.1MB

Download
memory/21684-26483-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download
memory/21684-26473-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download