Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot family
Wannacry
Dharma family
Dharma
Wannacry family
Chimera
Troldesh, Shade, Encoder.858
Danabot x86 payload
Troldesh family
Chimera family
Renames multiple (503) files with added filename extension
Deletes shadow copies
Downloads MZ/PE file
Blocklisted process makes network request
Disables Task Manager via registry modification
Reads user/profile data of web browsers
Drops startup file
Modifies file permissions
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Drops desktop.ini file(s)
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Modifies WinLogon
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
UPX packed file
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Program crash
Browser Information Discovery
Enumerates physical storage devices
Kills process with taskkill
Suspicious use of SetWindowsHookEx
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Interacts with shadow copies
Enumerates system info in registry
Views/modifies file attributes
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry key
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies registry class
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Checks processor information in registry
Uses Volume Shadow Copy WMI provider
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 17:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 17:25
Reported
2024-11-09 17:39
Platform
win10ltsc2021-20241023-en
Max time kernel
777s
Max time network
800s
Command Line
Signatures
Chimera
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files (x86)\Butterfly on Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Briano\UWPHook\YOUR_FILES_ARE_ENCRYPTED.HTML | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Chimera family
Danabot
Danabot family
Danabot x86 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dharma
Dharma family
Troldesh family
Troldesh, Shade, Encoder.858
Wannacry
Wannacry family
Deletes shadow copies
Renames multiple (503) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C92.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD469F.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1FE2.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2B6A.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD33AF.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD33B6.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2A33.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1FE9.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2B81.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8670.tmp | C:\Users\Admin\Downloads\WannaCry.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8677.tmp | C:\Users\Admin\Downloads\WannaCry.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C99.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3D34.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2A3A.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD510A.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5130.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD46A6.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3D0D.tmp | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop | C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" | C:\Users\Admin\Downloads\WannaCry.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pdyantnatxy168 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" | C:\Users\Admin\Downloads\NoMoreRansom.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Downloads\000.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\Downloads\000.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" | C:\Users\Admin\Downloads\!WannaDecryptor!.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\Downloads\000.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\zip.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ko.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.id-A86C441F.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\DanaBot.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WannaCry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\DanaBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\NoMoreRansom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WannaCrypt0r (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\@[email protected] | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{71A6D7A3-9EC1-11EF-9346-C6C8B2E6F645} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-87863914-780023816-688321450-1000\{40F952B0-E7D8-40DF-840D-7EDD5B991F4A} | C:\Users\Admin\Downloads\000.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 412718.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 423497.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\@[email protected] | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\Downloads\taskse.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6633f5460,0x7ff6633f5470,0x7ff6633f5480
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@3408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3408 -ip 3408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 468
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:8
C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 307591731173408.bat
C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2740 /prefetch:8
C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
C:\Users\Admin\Downloads\WannaCrypt0r (1).exe
"C:\Users\Admin\Downloads\WannaCrypt0r (1).exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 77361731173462.bat
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im sqlwriter.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /f /im mysqld.exe
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1836 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1648 -prefsLen 21733 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {574c49b9-326d-417b-bafd-a3e9aae62b1a} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 21733 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c900c550-c998-4659-a667-850562143b6d} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 1 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e14dfb0-17bb-435f-9708-6190fb7106a4} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 4224 -prefMapHandle 3996 -prefsLen 22578 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a7aadb-5edb-4b92-bb07-32aabda914e5} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -childID 3 -isForBrowser -prefsHandle 3884 -prefMapHandle 4016 -prefsLen 29251 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c305a412-7c42-4c50-9069-73866a609651} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5192 -prefMapHandle 5184 -prefsLen 29759 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b69e99-882f-49b1-879f-cbf41d38ad95} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -prefsHandle 5180 -prefMapHandle 3980 -prefsLen 29759 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3063174c-af69-458d-93a0-d5b15118da13} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 4 -isForBrowser -prefsHandle 3640 -prefMapHandle 3768 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef94dac-7270-4abb-ab90-ec2edfc878b0} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -childID 5 -isForBrowser -prefsHandle 3544 -prefMapHandle 3652 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4343c771-35af-435c-9028-9e0a2cab2a09} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 6 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a01883dc-b793-4052-8245-0dd0efeda4d0} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4424 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5516 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5776 /prefetch:2
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6436 /prefetch:8
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6876 /prefetch:8
C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:8
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
C:\Users\Admin\Downloads\@[email protected]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 /prefetch:8
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\AgentTesla.exe
"C:\Users\Admin\Downloads\AgentTesla.exe"
C:\Users\Admin\Downloads\butterflyondesktop.exe
"C:\Users\Admin\Downloads\butterflyondesktop.exe"
C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp" /SL5="$F073C,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
C:\Users\Admin\Downloads\@[email protected]
C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\YOUR_FILES_ARE_ENCRYPTED.HTML"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:19352 CREDAT:17410 /prefetch:2
C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Users\Admin\Downloads\@[email protected]
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3911855 /state1:0x41c64e6d
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4560 -ip 4560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 58764
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.199.58.43:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| FR | 51.178.195.151:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 149.255.35.125:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | feedback.smartscreen.microsoft.com | udp |
| US | 23.96.1.109:443 | feedback.smartscreen.microsoft.com | tcp |
| US | 23.96.1.109:443 | feedback.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 109.1.96.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | securityintelligencecenter-eastus.azurewebsites.net | udp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| US | 8.8.8.8:53 | mem.gfx.ms | udp |
| US | 23.192.22.93:443 | www.microsoft.com | tcp |
| US | 23.192.22.93:443 | www.microsoft.com | tcp |
| US | 13.107.246.65:443 | mem.gfx.ms | tcp |
| US | 13.107.246.65:443 | mem.gfx.ms | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| GB | 184.87.176.59:443 | assets.onestore.ms | tcp |
| GB | 184.87.176.59:443 | assets.onestore.ms | tcp |
| GB | 184.87.176.59:443 | assets.onestore.ms | tcp |
| US | 8.8.8.8:53 | 93.22.192.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.176.87.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 23.192.22.93:443 | www.microsoft.com | tcp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.65:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | dc.services.visualstudio.com | udp |
| IE | 20.166.40.71:443 | dc.services.visualstudio.com | tcp |
| US | 8.8.8.8:53 | 71.40.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 38.68.50.179:443 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| CA | 51.222.39.81:443 | tcp | |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| N/A | 127.0.0.1:52850 | tcp | |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 35.190.72.216:443 | location.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | firefox-api-proxy.cdn.mozilla.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy.cdn.mozilla.net | udp |
| N/A | 127.0.0.1:52859 | tcp | |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 115.230.163.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 92.123.128.144:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 144.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| DE | 23.55.161.185:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.200.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-aigl6ned.gvt1.com | udp |
| GB | 173.194.183.71:443 | r2---sn-aigl6ned.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-aigl6ned.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-aigl6ned.gvt1.com | udp |
| GB | 173.194.183.71:443 | r2.sn-aigl6ned.gvt1.com | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.161.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.babylon-software.com | udp |
| US | 174.138.88.129:443 | www.babylon-software.com | tcp |
| US | 174.138.88.129:443 | www.babylon-software.com | tcp |
| US | 8.8.8.8:53 | 129.88.138.174.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge.marker.io | udp |
| US | 104.26.14.104:443 | edge.marker.io | tcp |
| US | 8.8.8.8:53 | s.w.org | udp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 104.26.14.104:443 | edge.marker.io | udp |
| US | 192.0.77.48:443 | s.w.org | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.14.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.77.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.marker.io | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 172.67.70.243:443 | api.marker.io | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 243.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 174.138.88.129:443 | www.babylon-software.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | feedback.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | mem.gfx.ms | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.96.1.109:443 | feedback.smartscreen.microsoft.com | tcp |
| US | 23.96.1.109:443 | feedback.smartscreen.microsoft.com | tcp |
| US | 13.107.246.65:443 | mem.gfx.ms | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| US | 23.192.22.93:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | securityintelligencecenter-eastus.azurewebsites.net | udp |
| US | 13.107.246.65:443 | wcpstatic.microsoft.com | tcp |
| CH | 2.16.12.143:443 | assets.onestore.ms | tcp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| US | 8.8.8.8:53 | 143.12.16.2.in-addr.arpa | udp |
| NL | 194.109.206.212:443 | tcp | |
| N/A | 127.0.0.1:64743 | tcp | |
| N/A | 127.0.0.1:64764 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 23.96.1.109:443 | securityintelligencecenter-eastus.azurewebsites.net | tcp |
| CH | 2.16.12.143:443 | assets.onestore.ms | tcp |
| US | 8.8.8.8:53 | dc.services.visualstudio.com | udp |
| IE | 20.50.65.88:443 | dc.services.visualstudio.com | tcp |
| US | 8.8.8.8:53 | 88.65.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| FR | 51.178.195.151:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 149.255.35.125:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | freedesktopsoft.com | udp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| DE | 78.46.117.95:80 | freedesktopsoft.com | tcp |
| US | 216.239.38.178:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 163.70.151.21:80 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 95.117.46.78.in-addr.arpa | udp |
| GB | 142.250.178.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.178.14:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.178.14:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | 2.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.38.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| GB | 142.250.200.35:80 | fonts.gstatic.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| GB | 163.70.147.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.veryicon.com | udp |
| GB | 142.250.178.10:80 | fonts.googleapis.com | tcp |
| GB | 142.250.178.10:80 | fonts.googleapis.com | tcp |
| US | 104.21.11.28:80 | www.veryicon.com | tcp |
| US | 104.21.11.28:80 | www.veryicon.com | tcp |
| US | 104.21.11.28:443 | www.veryicon.com | tcp |
| US | 104.21.11.28:443 | www.veryicon.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 28.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| US | 199.232.196.193:80 | i.imgur.com | tcp |
| US | 199.232.196.193:80 | i.imgur.com | tcp |
| GB | 142.250.200.35:80 | fonts.gstatic.com | tcp |
| GB | 142.250.200.35:80 | fonts.gstatic.com | tcp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.196.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| FR | 51.77.7.204:443 | tcp | |
| US | 38.68.50.179:443 | tcp | |
| RU | 95.165.168.168:8444 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f6126b3cef466f7479c4f176528a9348 |
| SHA1 | 87855913d0bfe2c4559dd3acb243d05c6d7e4908 |
| SHA256 | 588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4 |
| SHA512 | ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8 |
\??\pipe\LOCAL\crashpad_1776_VFIRATPGKMGGNZAF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\17bb7c8e-4fc5-41bc-b43a-bca7c6013aa6.tmp
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6dda6e078b56bc17505e368f3e845302 |
| SHA1 | 45fbd981fbbd4f961bf72f0ac76308fc18306cba |
| SHA256 | 591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15 |
| SHA512 | 9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4dda9836-8665-4654-9885-22328a2e21b8.tmp
| MD5 | 929773b114a0349ba22981f43427934c |
| SHA1 | cc2610b23f0fa2d35913e980a3550cb45b1be541 |
| SHA256 | 09f73affa3aedcb34bc69673d7a1a73909ab6cc990d7cd90f2fe88a8d4c81a4e |
| SHA512 | ac7eff9155811b83966ea957f86e11d9b3ca24744eeae2e66d4b5ec39b90990a10e5bb39005141a09128b21fda333f18d68a1ff36b8f2b7cdbf431b1e5ec59fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 90cc75707c7f427e9bbc8e0553500b46 |
| SHA1 | 9034bdd7e7259406811ec8b5b7ce77317b6a2b7e |
| SHA256 | f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb |
| SHA512 | 7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b3ce3ec7eb3f0129fed145dad4440549 |
| SHA1 | 278c6e2caa592f5a2884623ab993bd2c3629a2b7 |
| SHA256 | 26c19a6154bf1a157ea1d1e68b9afdfdabc0c4d6eb1517c0950cd0e7b079a5c7 |
| SHA512 | 36175f20ebf65ef723b75ae5a760203d23dc259bfb85168ed9f2f93a1096f5c3d152a20dfb0cb536ac107e604af3d0a524a86709e7f5aac3c50943a422c1e6cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e30122d11fc8aa924073cf991d564040 |
| SHA1 | 355b774df9ded1b335e5536ab91439ee1d41ef52 |
| SHA256 | a443c76f40e8dc9ea4e891808c65595fa6b7f59fbb220f84620d1469abd74593 |
| SHA512 | 0f23a91f650493659a658d30c3c9163d088f5c137d8e1582f70a87e4af1470a8e1517c4e2972502b10c7c1a3ffa05a97ceccbf413eda57dbb66aa2f3867c652e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 0d8c8c98295f59eade1d8c5b0527a5c2 |
| SHA1 | 038269c6a2c432c6ecb5b236d08804502e29cde0 |
| SHA256 | 9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721 |
| SHA512 | 885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 3150a7837d721d66e25814559d08c08b |
| SHA1 | 0d4af82f3edb5eae845295a4ccdd8e82ea373fb4 |
| SHA256 | f1256c6a52bf622df5829e635ec8e671d1a9ae0a4c7ac0a86c62a2aea067ee65 |
| SHA512 | 85a81ca7af39b18868dc46a129eb06618a5dfb9db6242381ff2fe69db22c39d48db1d6dce3e8b63d5cfec781a22ec50046e47a861feae08a9a25d27252e54c37 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 6cc1c2683d5ed763eb1bc834268f6e05 |
| SHA1 | bf526a3b653d8248a3608df8b3172d9b18321bf2 |
| SHA256 | 1916ef123a6ce8c07e340bdd210bb63a45e661d9d6a8516cc68b85f9eebbded6 |
| SHA512 | 2223229b9d757077d8dbbac41ac3551dd4508d3ab0c2a51f62d91c9ecbb0df14a0c7dc5e0e257b58959a4f760cda8620f0f30b167796aa0351ed416f13c13bb6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b66c4fd363a66b34b3f148b070c7c249 |
| SHA1 | f6a320ee8f21914ab2d9cbfe5d7e6fc04c3de1ea |
| SHA256 | 455e1410598662445f3c61f678116ad812b295c082b3b61815d5c461815b991f |
| SHA512 | 6dae69831c0f6bb3d79205999a71cd76beb67fc07c4b7b5b3c9e3be7453aa974d27aa2c9d502f913d88ca41f717cbb164bc7446c2f431e1ee8cec92809fdb1d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f2d9e342a4d1919d10309ad18889bc5b |
| SHA1 | c97034991f5f98656c583c34a73b49e5565e761c |
| SHA256 | f976084df6e45e84b7a6755b0096ebc10b4cedb0ab18c0fdeea2c55519e6999a |
| SHA512 | 31d1f2ac60f0d0c33b717a7f03152ce38ccec5a2b4e8f327ac166f946053bb1c64516a13f50895ba6753fd995020504fccc8397a0d2eccdc42734750db80c289 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d002.TMP
| MD5 | 0385f658c3d22a2b632a18a4a192fba5 |
| SHA1 | 9c2e5c1a1f26c22483f09c2ee88a547c3b39ea49 |
| SHA256 | 693865b37784f7e908f91cd1430c0f5210227b800f873062fcf8dc75e59a92ab |
| SHA512 | e7408444138e76c1fdfb95dfab456b8089c31e7a42f968982b2b3fde4deafa3e1b1f2fb1c098cccd5cdf9ac19e621bbffe780b154f878e4e20399fefc8ac71fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 4e786ef6de6d058a7ee21d714b5878f8 |
| SHA1 | a25cf3a4ef2c4208064a295fc00bf84be1557e8d |
| SHA256 | fd7a0097dcdb4360e99e3131665aaf1cdddb65f638323d8dcd86832ac1c65b57 |
| SHA512 | 79f32a2fe5204c324bcdfd5b11b3d7423cb8961e61350ef8b1a40390212bb1f2125be11aa9a8761edb2fd4c760a39c9f18394a8bd8bc55148ff2937b4ea67bac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 084a7c45c750134bc52120929e4adfa2 |
| SHA1 | 7caa207a66cb97095da77cb26bc03c05e3e3e3ef |
| SHA256 | d897e13540624694573d596496a442f317069973a8bd8f9464b2ee91406fb990 |
| SHA512 | 6aac3796f0435096a86e81ef9bdcd0186ecf74d35a38dbcd9d5c08662fe707c50d015453bf7eef1cbdbade8fca2779aded56bf3a2407a5ae97fb2a6eb1092f2f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 908677684413f5278249c1b08127d6a0 |
| SHA1 | df54a142c7eb47537509a54a8519f1c6c82d0965 |
| SHA256 | 49910739da15aef97cf1b1fab8a1c6817991542d296c3fe6619248258626330b |
| SHA512 | d6458614c8cf209da33129d5672f4eee9923bb56e91692c87a0f82a0e00c0ed0c03bad913e3ebfae7dab32f76465e58289e15e579bc5f8af37845ab250301773 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
| MD5 | 46c65c348f90aa174bfc5f9dbacbc3a1 |
| SHA1 | f3f1cb408e89e48b14532730632dba27858d2676 |
| SHA256 | 0b36587fac66193c3e84fc32c4edfecf3b9a8717aafea51178f5480239bfa008 |
| SHA512 | e18be3c74e039ff4297313b12abae8719e26eb852724a46f119121d008a7165e249bc17d17b3275a108e6de14b1bc443a7827589bc4fd46d616de699b8294ada |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d37b536a1bb5b0a520b436225f2c3a26 |
| SHA1 | c67e6e34470f4392001209f84a70bbd485040f5e |
| SHA256 | efc7a462836f495670945ccbf66d966ce2df8c07fe6c90d73dba285d28ff4244 |
| SHA512 | 928ad090433814a18bb7881e2bb8856c8be778c2014c05413c29845794c0fec218e997f8a176a4e82f0819a911cf06bb847622c60cbd27bd690f6e2e1d80352e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 32436b16192fc47446a404eec2219700 |
| SHA1 | e1f646ce9a44efcbcd232889277d0186b6485a22 |
| SHA256 | 1eab63d2fdca86de62bccff3a564db33205cfe03083b7f87cef55a33268a3417 |
| SHA512 | 08541deed52d18a22184b3ef2052ab3359633c16b9e7e88783540b1d5ececd8e6cd3dc1ba148a21584e11109118a7c5376e224720c8e20af6decabc051170ddf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 3bd4b0da0ca69ca8d0bc5e6b5838c087 |
| SHA1 | 7bc95d7859f0b9ed17de99142c36c3bf533e4fe4 |
| SHA256 | 4ebf8acb6eb1f47bf3b9960fc1abefbcdb5a956e200c7f188b9e394494e2383b |
| SHA512 | 5c13ba95854aef7fccf463bc4add4a19e40da44e202ef0cc5a72200cd65a5c2013beb0c6f19156f5b0c16cfa96fa67515e8ea39a65f00d9496f1abe8d773a0aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f52864a0854becdb7813e8b5a9b1a7ef |
| SHA1 | 4091fc499c804b64b442d1c3452b9030f90ee7a9 |
| SHA256 | eea35ed36c203069a07bf9b9d3b29b9748f9e067beabb217a57f2679755f1c31 |
| SHA512 | 4ba6c1e8b21cbd169bd976fc2a5df74f55f14e1b535669206ac2e08dc55071d2dcaeb996f706d5fb4fed4b8d955450c2db95beaa759afbaca538e82d85812e79 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 07d4df7ef9937fb8cf1b8fd463354950 |
| SHA1 | 3e470edb38edde953b427d17412101c26ab22497 |
| SHA256 | 566ccc0b971928be67e53e7545fea9f60ef8602edb719dc0b35c3871b3d78112 |
| SHA512 | e98d09db4a87d2ca56ad95b3df0a25eef8e2ff7810514e3fd84d9ba5684ae1a0430b24fc7d454347994053273b12f738ad2aed5f257ba347ae8fa7dc70ce7359 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5d7fc53ac19c946ce921e23ca8d03ead |
| SHA1 | 2eb098b1bb53851c720227d43ea84230ebefa905 |
| SHA256 | eb86571243b3ddbd9a9783c927e525b33f572ce7b3d4e8a8cbe4ad5199757b23 |
| SHA512 | 9ab6d9794246e68da833ffb5601bd792882b010a53aeb8a9e251078ab388f0e9c020f9ef50c1313e24da9c15368aae54e58d87c639c6484a7d1dcc5b1e69522b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 818f039d5ded532eae86d12ae2a41d28 |
| SHA1 | 14472d083e9bd060509cbd48c4952412ca330df7 |
| SHA256 | 9684ebcb31a732d49004c79e91f02f4698f4db6e0b83448d1e33a865d6b3d73a |
| SHA512 | c59c024b86a01f2f5af12c54a05e333df482f1416f31ecf6f75f4e0c0efbddee00cdd0f63c944f81ad8ffce5cc98728e936745b90280a5daff1761943d16677d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe588ff6.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 95d72e5a735d2124832ae4be2981bb87 |
| SHA1 | ad77730b2f3e7fa62b9468d2200f97e43da0bfaf |
| SHA256 | 262738eb6b611f88b7d9f4a45a6343623d19e16aaae0c39fdde4fff5d79615a5 |
| SHA512 | ccd85871829fe2ce38f0806e08325d6e11028a4dc0e97aa9aa048522d3f7ec8f1f1cec9487d3439385a204e0776d13e25f66a56eadd38cc690919f324c0c5e9e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
| MD5 | 86bd07fc23df63032eae2b71fcd4d953 |
| SHA1 | c03c4239b201e51e480ebf88c2f7d819f8165d00 |
| SHA256 | 85147518b553f8a19ae4f20123e23ceecafaca3a569f442cd9aa67830d3e8245 |
| SHA512 | bee47ffba3c3707cf429355cdfa897ead768b3930ae71417b01babdc59b0e0aa61ff69febce92b9839c8a13b2e2d579a456b5d029eea7df16a0df22175f38116 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
| MD5 | af5870365ed0dd3ec2ce0d5beff19515 |
| SHA1 | 14229509e90416408d1b868ab8abfec968b21f4c |
| SHA256 | c87aa9c9818d4205895ab9e429dca1fa66ea01d68bea439763e490a96a98f603 |
| SHA512 | c38864e31768bd37042118ede37231bd6a15033b4b7805bd26d3743ceb52cc9395b1f4cef27dfea73f6bccfe54f698cc6f03cfbc7771fa0241bc23378072fdd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 69777d6eca3c12f730e9398838f4f16e |
| SHA1 | 7a6184992e7752bb6df54d40ccc3ca9da94081ba |
| SHA256 | 8c220446d362ff021db2d7232c96d8c7ca7bc0d992fb4f06bca9f43a9b27807f |
| SHA512 | 282601d6364d61d1fc7f2fa50a998e32f222e58be0840e82a3c338ef8f89bc518b424a69c9a7a76176345d8f9ca9adeac5697a6c98523d4bc744276418ff21a2 |
C:\Users\Admin\Downloads\Unconfirmed 513577.crdownload
| MD5 | 48d8f7bbb500af66baa765279ce58045 |
| SHA1 | 2cdb5fdeee4e9c7bd2e5f744150521963487eb71 |
| SHA256 | db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1 |
| SHA512 | aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0003eb078ee8ef89abe0ccdfec12f97b |
| SHA1 | cf433431e8d3b7604fc70d13dcec40eda0b526b9 |
| SHA256 | 5fcd961948b053c5380424247a5b87f60bba59c09783be4a5c41adda8a8b7b0a |
| SHA512 | e37368322a1b814d7616b98a00d29322cf30442d246978d11f94fdf67743f3e920a7ac317d6846579ab4346d84a721a0af08eaaa57e00b8d4f449e24027a5c3c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9cbac2b18fec34383e62149270ae3a1d |
| SHA1 | 40a83c0b4e81a3c7ba592df179c7bb1e9f3bf9e3 |
| SHA256 | 161e2f3b112330f0a2da282951bd7005011a2985882b82588d2b0cefa3c3d234 |
| SHA512 | 632317a4ea22a3d4f6b3476c2ac6e81e71edc53c7db07807c59e01d50ee4f361d007d9e5a832e054182a70e1c8bf1aeed7b2bb14818dbf7320d25196e1736060 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ff64115ef1386a878a777003a9584b1b |
| SHA1 | dc707a9e356ebf9ca5c0fa81cbf74edea1f92b0f |
| SHA256 | 81ebf9b9a8e2079fb47eacefbb25b67dc313b69aa836fd15dc1cafd5ab133ec7 |
| SHA512 | 4c513136b2089ca1961457481ceac85752c94a5b9957ae0567411bdd3e49f378cdd91b304ceed915b7676807ecf6776b1803c767dc03a8ab582f2112d096d05b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | be30dc773f2625548a4c86d0b955fb85 |
| SHA1 | 39fbb50e8a416d826ecc2fe9bf4deae66c49b1cd |
| SHA256 | 406d70d8e8f0ed03365baaa30e46c929195a0380caf210d1cabbeb48c6b24eb7 |
| SHA512 | 8361c710e20f7f09d6d6ec006ac3da8d059a94a3709aabdf60d1b81f42b1e353c9a6a885da116836a4ce5ef6a9926e737381c4a5bdeeb1d0f7442654322a3e10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bc9c03a9824448c574d2836f30f936f1 |
| SHA1 | ba4083c6213b5931ca7b8acfc6cf68500682b936 |
| SHA256 | 3a81421fbf9b1f74db55f72132a979b959115a17a1a22a4feea2c8d82af77aa1 |
| SHA512 | faf1402e5f9ceb08b24c7bad7bae89a43e8cf56d56b51de25176c17d9b53a65add9c89bc01863eb2161c1325e82ed164344c75c56c9351afb23bcb8345c08310 |
C:\Users\Admin\DOWNLO~1\DanaBot.dll
| MD5 | 7e76f7a5c55a5bc5f5e2d7a9e886782b |
| SHA1 | fc500153dba682e53776bef53123086f00c0e041 |
| SHA256 | abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3 |
| SHA512 | 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24 |
memory/3408-821-0x0000000000400000-0x0000000000AAD000-memory.dmp
memory/4560-822-0x0000000000400000-0x000000000066B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 69ca8279fc714ac638cd7093d1770d66 |
| SHA1 | 22a54f91029350c24910088f09f3074f5dca6f14 |
| SHA256 | e3fefd84b3531c941427ee580489200816d7cd1c448ed5415b8c93370b8ecd08 |
| SHA512 | e1822d7ab9fceb830edbb2a31d3b492ab182fef337016767d8d7db35d0d71f1c3f17dca9544995cb08369235cb744dce61ccff8820db5573694aafcdf901fca3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 644e2e24202900b44d344b563234a0c6 |
| SHA1 | dddf2b5be7008bda21fbe4feb34bdeb32c831c27 |
| SHA256 | a51c45868d5bfd3d2eb2608c995fdada0b2777158dd88bf257e4042b7e6834bc |
| SHA512 | b9d4d9fb575953a407e03a1f2d36801181db2f5cc96e0b92a76c21018d3a58961f324cba5afadfcdd8c904e764ac4105fad860127fd85787546c2715b87c1a86 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 27e3e63d738aef9e5ff5fc5922580dd4 |
| SHA1 | 12a3d06549cdc7ce651b3ddbffb150f829da1555 |
| SHA256 | cd2454cff228c0ce9d01041dad2a20fa9a2aaa189fce2db2d625a3227fd9035e |
| SHA512 | c039a5f5a1e53280a44cfc314967bdccee69a2e22bec26bb88edaa9de898765bf2feb7070b80afe9ab01e30e22e2c7aa05409158f349844dd5a6d873d9e5a3ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bd02d32c619c73131f9e35439c5a7e68 |
| SHA1 | 4cc21e2945b8fb3874c15a3403ff42c503deaff5 |
| SHA256 | c83df7965ca3d944fd1d592d1887e546eb11cfb8bdb6beeabb778bf7b64c1475 |
| SHA512 | 8c435bd2f1cb16251ac0f6e0e034f5b8acc0fca6433e8b0f7b8c8d01e4e2cd858339a9d08cb47694de2aa7711964d2188b81dba28ef8bcb766ab7a9391bb2592 |
memory/4560-878-0x0000000000400000-0x000000000066B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 47b5c8a12f4b320549303fe78841f41f |
| SHA1 | 6b42847cb4c18591bc9540245c59e1b79c3a9dff |
| SHA256 | 32b17ed382b41f71d304581ace195158e09c2256415fc1833921d75feebeefe0 |
| SHA512 | f2c629f8640b1ea258eaff5685e59095eae02199fa50d00bd729b07fb34ecf08aa7f7587cd51ca991340538c4a9d3f576973a376d783fb7a05c42f787d84c4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7c7254968b350454d638bce16d985879 |
| SHA1 | c4a826563ee256d3ba1ee9772d6b0196a21e22b4 |
| SHA256 | 16ace9388ef589881cee70df55e3d31017d1e40a036e3af19ceb57d99c070dd8 |
| SHA512 | 3a9f67dff41451e9c50101b98a4e983d48894cca113299023656fd6f7bdc1e8f289305767f3c43b99a0f81c1016aa490efdd7d9557b852ab608d94a3015a9942 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\87e5cc09-072a-4733-8764-feee08e98bf1.tmp
| MD5 | 85f3887a78c665e59d9364ddaae02acc |
| SHA1 | 5cb3bbd5c4e9c3f0cde607d2dc79431a4d1797cc |
| SHA256 | 4b423fb1a46430b3839de182623439d065877e95de17ebb950a90c5f0ca93518 |
| SHA512 | dc4c6ae521227a2429ea80adce60020f608ee9ee9956da6454c003648566b6ada3145c4f80e9e1eb680da846a77a62948dda2c2afc1f9375d3f3223704e34dd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ed23477a4a8642e63d96e78ae017a2ea |
| SHA1 | fc4b3f72b67686092d0ee4516bd227e7371f0ab8 |
| SHA256 | 8623985ca152372b47c9826745e173641ecab813cc0d319af2f6adba36c2e067 |
| SHA512 | bc9ee2bb4075f0f524e45ade64ea17ff2608d8d09406dfd1684a802529ad75769de81a54c7522b18ff4844a85795433d4dd04cb66451675d37f7f02c09ab3ac3 |
C:\Users\Admin\Downloads\Unconfirmed 742955.crdownload
| MD5 | 5c7fb0927db37372da25f270708103a2 |
| SHA1 | 120ed9279d85cbfa56e5b7779ffa7162074f7a29 |
| SHA256 | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844 |
| SHA512 | a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9060ed5ae2c5d7bc2de2a80300573488 |
| SHA1 | 695439451be4ffa4cd7f3f7eb02fc46e667ff82c |
| SHA256 | ed9b2054e9a3cc5c604463865e36afeb3333c470b1da1d8a8a760a854c61084a |
| SHA512 | 7ad00a9dff2acac5b1dff4193780241501a3bae0b7b537ef10629625a5a4144174ab9c3fffb7fdcbc58bfd5bbb1ddc9402dbb190679892a9b46f3b5021c6340e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | df63b37fef7c9a724c3e931dd0a55f98 |
| SHA1 | e61a2ad943fb2b26682195ab91dab35da48c6f20 |
| SHA256 | 8cd1e04115008a43115dfb7505b05847124d1689382f236c53d087f8a05cd1f6 |
| SHA512 | cf36e5d7796769003a9efb2ccb0ff4dd718bd55c92e32d5b267b1bdc4225338777d7a4a125e92e685dc045df81c491ca7702ce72fa8e245eb38994ddd8041044 |
memory/1480-957-0x0000000010000000-0x0000000010012000-memory.dmp
C:\Users\Admin\Downloads\307591731173408.bat
| MD5 | a261428b490a45438c0d55781a9c6e75 |
| SHA1 | e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e |
| SHA256 | 4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44 |
| SHA512 | 304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40 |
C:\Users\Admin\Downloads\c.vbs
| MD5 | 02b937ceef5da308c5689fcdb3fb12e9 |
| SHA1 | fa5490ea513c1b0ee01038c18cb641a51f459507 |
| SHA256 | 5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1 |
| SHA512 | 843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f8ef9583cf3e8370f2d05b967c5969ed |
| SHA1 | 126bfc504f281ce6dd62d138f3efc6d51d98dd8a |
| SHA256 | cf7bd765eb95aea743f5ff5b1ed398597bb1ae0d2562080278826421a66a4b0f |
| SHA512 | f72ecaa17b90fd607ac49922ea88294d8fbd192e2df5f7e188a1a64d2e1562257e3bc294e9b6adef89ce05f5cea5227b9677f574c7e34e382dcf616d3e50b416 |
C:\Users\Admin\Downloads\!WannaDecryptor!.exe
| MD5 | cf1416074cd7791ab80a18f9e7e219d9 |
| SHA1 | 276d2ec82c518d887a8a3608e51c56fa28716ded |
| SHA256 | 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df |
| SHA512 | 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5 |
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
| MD5 | 10547ff5a5416ad7a8af9523ad92d887 |
| SHA1 | 85d0b35a03e18b3090ce6f3843593932296015d0 |
| SHA256 | 9be47695ce026bdef2da5a3b52fff3a3928fa5bb5ca1a89c19dd8f5d56f61d86 |
| SHA512 | f3d968d326d756ee6022f0b8d91786a824acbd3b666339f44366d4b35d3f815ac0623af47def5313296434c7919c3d36bff18db121a21d1e4448d7b241f8e4a1 |
C:\Users\Admin\Downloads\00000000.res
| MD5 | e08ea491c69966c2471436ebd64d3c3d |
| SHA1 | 9b2141e7e5f352f56d54bbd3a8db12952988ef56 |
| SHA256 | 3646ad74b1c9e8e1e55ba28769a7ff0d60c5fbbe1e6ad3f12ce4bcd734d11499 |
| SHA512 | ecc824f02f4aa1edb5f619d59b97a2ba4a63a52069c5fa7161eeb9c1d938447c03c7de3b9624681235e09e762fb0af896ad8d7b41c30626d41307c4783fae222 |
C:\Users\Admin\Downloads\c.wry
| MD5 | 4c10923f7e121618060900ad1fbba214 |
| SHA1 | 519a73b48e8a63f8cce282585ca44aec4a8ef1d6 |
| SHA256 | 0d6f33345e4f97018c937e5eb2324bc76f04711338ea07927eb63e2b7dc83353 |
| SHA512 | 9a27fe90a6e70726356c993d1e07381c40c21df19182505e1c963550b070c548321d41ac925c89cfa56e67211f9a82ddd8da9010876bc8e0d83a9c7330da4967 |
C:\Users\Admin\Downloads\!Please Read Me!.txt
| MD5 | afa18cf4aa2660392111763fb93a8c3d |
| SHA1 | c219a3654a5f41ce535a09f2a188a464c3f5baf5 |
| SHA256 | 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0 |
| SHA512 | 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
| MD5 | 02727d7631092ed4281c6d76b85e4216 |
| SHA1 | 5972f6e01ba62155ae05bf5aca5f336bccbc96d3 |
| SHA256 | 552b129f547d6eb63f03cc9582afb158c4cb81fccedc81aa6ae3e19dea4e4ea6 |
| SHA512 | 24ec82ed2a17d7a083ad151f307727880f661de14c0fc941ab0d1d1fe9349ab000787e82d8b94ca463319173f374d6ab737080320766e158b9a476664821f6cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
| MD5 | 9e02552124890dc7e040ce55841d75a4 |
| SHA1 | f4179e9e3c00378fa4ad61c94527602c70aa0ad9 |
| SHA256 | 7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77 |
| SHA512 | 3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd |
C:\Users\Admin\Downloads\Unconfirmed 993493.crdownload
| MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
| SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
| SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| SHA512 | 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244 |
C:\Users\Admin\Downloads\00000000.res
| MD5 | ebb817394e3a84108981aa68c7e9bbc8 |
| SHA1 | 3876ac4d4ac96b7c5ea5af74d997cf50cc560674 |
| SHA256 | e7365a6671d31a121643a09123ceee6be4a6e7d3c3441f85a3991d786ebec191 |
| SHA512 | cfbb2000b2fe219e7ce300a4a26ea490022420980abbf431599f8fbf90f6ea847dd7962dcfbc9da3c0dbc7cbf921297c77fbb1f6168af02af69712c985b63da4 |
C:\Users\Admin\Downloads\m.wry
| MD5 | 980b08bac152aff3f9b0136b616affa5 |
| SHA1 | 2a9c9601ea038f790cc29379c79407356a3d25a3 |
| SHA256 | 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9 |
| SHA512 | 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c19d818ebbc0e6562fdb0e00968eefa4 |
| SHA1 | 51fe759e10d944b5ff2fe36f66b1f4dd94bdc28b |
| SHA256 | b8109aa5a8b6f460999b79c480cc198c36cd7e06b79c36b399fca4814cb35340 |
| SHA512 | 9def795dcfe89d59aa54e2e9e45b777bb4e4ac1770e9d89a4bd3744d35f749b4c39f9adb36fbc47871c2d9b44ddc81a5f517b915f772944fc21dbed462beb66e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 74f367f645af6a2805e3c2b02d8d5ea7 |
| SHA1 | 537c9a124302f68aa32f08eec95a7ce715c77c98 |
| SHA256 | 1f8ddfa46bcfec854aeebf838b01eedfc737959e005686102ac20401a63596e1 |
| SHA512 | 320a09f6c8f06b08e12778a03e5f598e635b02f148fb956302f3f88c4bad0e31aa0812cf53791186bbee705e044085511290955c2cb3fa993eca789132a79298 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d372331ca293c815e6fb2d2de7b4a896 |
| SHA1 | d8fdb5587fd1b473b28f36e374c053c3273ad24c |
| SHA256 | 2ec8ed2b69db42a0f91e47357cffc737d6108ed549bda1c54b277699d83f11c5 |
| SHA512 | 150df9fccc225a63ad6c9cf1b12f10f623d0fc40f978ec60df2c1024873d393451737ebd6d32922fb4d7ef52acbc56c4e4359314c8bfb0aca460eb5f0ba6311f |
C:\Users\Admin\Downloads\00000000.res
| MD5 | 44bca8bb7a934c6b23c569dbddf9f9c8 |
| SHA1 | f4ecaf2f4d36f0355201dc5242c3c57d4dbf1fd7 |
| SHA256 | 75f7c97757730501e5aef47a4630628aa22532e97646a13efc7d5012247a7b68 |
| SHA512 | b90eae13d14133a4694471e2aedb573616fb9f670e8cdad88929754dc38ad6c051b6989d1cd8eb07cb41092c8e5bde68ffee5bebdcd91392f6f8780a7cf6e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bee19942fafe1e6cc7152af20808c232 |
| SHA1 | ba3b76f20e3ba36bc2b39489767b86c4b76ee666 |
| SHA256 | 76fa6cf2f6ad8e19a54fda7b1efd0a86dacbeb9ae37c5092a51a5a8d753c65f1 |
| SHA512 | 0226e133be143d52879f6838c11bc4967bc4d1d58b1baa307a85c77a8c1fba7c2f6fa301d8c9a7aeea0b48231e0bca0f660537f0bcfc6465aacda4cec5e968b5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9d923d2049f2e205bd476f9625957fa8 |
| SHA1 | 3c6971b5c41c0e014a23bfeaef24210fe2bb8402 |
| SHA256 | 3cbcf4bc56710a414589d752625f27c392508f9bcb26e1bd0b6a162d04b3536c |
| SHA512 | 89d1cab32a9a1729b9c24322d00573b73d6c7fff83d7c533bf7b6d94aa3b799b4985f95ca820a1e5ede64b997c779cee3728be6887080911fc01b3bce9c22de0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f76fc1233451d88b68db1cde94d03526 |
| SHA1 | a391b69b8d233f39c22fe8b9c1609fa04f707870 |
| SHA256 | b789e514c741e3ab7ae006930cb1e3f8613aeefd6db64107fc5b151cb1a2e0c3 |
| SHA512 | e1da600a1025a7e4677e11322a42181909f1373e52d9536cfdec4221150b20833574d40ef19056297d0e40e5637662939af20a0ef90608aaa1a47f836fcca759 |
C:\Users\Admin\Downloads\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
C:\Users\Admin\Downloads\00000000.res
| MD5 | a2cb9c0b86aaeb564cab5ed7ad5c799d |
| SHA1 | 17bc66a9dfb12b8e15af5524e0e81bc3166b87ae |
| SHA256 | 69c98d9dbd683e0b694546353c5a85854753d698dbf7b122954f0f1b344a8b73 |
| SHA512 | cdc1fa53603fb214daff6907210e90ed8c0d0f0113faf29766dbb85fb1a5164cf5353ca5f7b978c219cc41a1e3ca7e2eed358e00022f765803694a855fb88a32 |
C:\Users\Admin\Downloads\00000000.pky
| MD5 | 9daf6c3a754bdb0f25835689d830a8d2 |
| SHA1 | 322283234ee9e70aa12b7496d0e5efe5b1208faf |
| SHA256 | dbe17333d39d4ff6b3d6c10e2b676cb0aaa726586e77704994172ab18ba1e22d |
| SHA512 | c7d4f61c13454f384d7655a6ae1253618443aaa610f4ea51d02ce3ece6c2164b71179fe9b570b4468f36bf50153ec28c74d64f437cf402c53033cddb4cff8a92 |
memory/968-2373-0x0000000010000000-0x0000000010010000-memory.dmp
C:\Users\Admin\Downloads\ApproveRestart.zip.WCRY
| MD5 | dd5eefc5a4066785d2000913b03f9386 |
| SHA1 | a538c5a387f8c3d429238561f0a9fb666980408f |
| SHA256 | 742b0183c1313993fcc0490098adf918c391824513f0c7b90a3128c45a747dff |
| SHA512 | c36407a6785d9d3d11cb059d62a58b6944bc4a88406af7719f5c7de7e59ebc04272d9ebb180fa0cc678e8dda733e8476cc1df8df79ab480ac0a3b042c9ba9771 |
C:\Users\Admin\Downloads\EnableSend.wmv.WCRY
| MD5 | f3673df9a9b20cab7c65509f6d8455af |
| SHA1 | 3d8c56c42d7c629073849f75511ed2290d42581b |
| SHA256 | 38019fe12922eac8f6cc66bb24b27ff160616e65ba49516b8881f17352e2c284 |
| SHA512 | bef05371d5c7e6f1eca79e94031aac5c55f5818a1bb618ddbf55a712ce9e3ff26ef68743799d47297bbf4ac3cacbf2684a975fcacb8412435133b84c34aa3d8a |
C:\Users\Admin\Downloads\LimitCompare.tif.WCRY
| MD5 | eba51075a38b158360b49756bbd218d1 |
| SHA1 | 4df2c16350932e8e385097791742d982b6d0d2a3 |
| SHA256 | 5d1a100d7b631cb51e40a7dd57dc943829d4c1124862bc7cb906e4403287b908 |
| SHA512 | dd7c0ef331d66413ce6d410dcb4e9de12f10d5e31ae04efda8000de6e2406b59de273cfe622eaa0ee8528f877b922efab76d555ef7c8f4a4b9fbe3f5b5eaeb7e |
C:\Users\Admin\Downloads\HideConvert.docx.WCRY
| MD5 | d89705814217f37c2d4b1db6cbc2dbfb |
| SHA1 | ca5486e8240cabf814968fcbcd732ad64059fe9b |
| SHA256 | 69f6fadd35c58311b1c15f69593e1f4995b2d42b2690be20bc3dafaaad9e36b5 |
| SHA512 | a15f67313fc3477ab3ddf417212af63c6f28d62c0ed9314234d3d01156d6e871128727d07c077818b6d0e481c7c80f4167c2149c5c6e05748cd45e881aba1d81 |
C:\Users\Admin\Downloads\GrantProtect.vsd.WCRY
| MD5 | 7fcfe0b11c379a00b4f939642b1534c0 |
| SHA1 | b22852402a582b813a63748a1a94f22d120a9db5 |
| SHA256 | 62a3ca35adf3ac64e5d3971236ef76a17a60a460b3e69fa03d887b181d8346e2 |
| SHA512 | ccf3b12fb748eb235434732cfc5265a59d173e1f4ebf53f1ed845e404cf98d7774e6cbbf038c795d580da6b9b9fbc6a02df879b9c991a61dd1693d378851d522 |
C:\Users\Admin\Downloads\FormatConvert.xlt.WCRY
| MD5 | 1d8a8818a6dbad8cbfc9448ba85b1ba4 |
| SHA1 | 24f2350480bbea5380d7a8ffa97f89ef087ada56 |
| SHA256 | 2f824028265ca4e921ac9908427ec1ac7ff1322153da6705e26af6530ba1c16b |
| SHA512 | c2022c1e5efc61915bda7f756998423e2a13d72bcbd0358e15db956fea25c6eeb35a0d1d96e286240a5e8741b2fcdde4d09e49d1fe1f679e64c4e2be154dedcd |
C:\Users\Admin\Downloads\f.wry
| MD5 | 4490f998dfb5ae142449871129380048 |
| SHA1 | 5d457484a4d6098c9975c14af31033481f9b1d99 |
| SHA256 | 75962be65c92a3f45142193118f349a72453ae8e6b27508346f96a30cf969a9e |
| SHA512 | 06d29fcf67ba1a97ad8d0e78093a55ba834615c0b09528fececf0f4c7e54d750d5fdba79137afd0ca2e61178b904342400b72da537c2731aaff6aadb4e3cf581 |
C:\Users\Admin\Downloads\c.wnry
| MD5 | 8124a611153cd3aceb85a7ac58eaa25d |
| SHA1 | c1d5cd8774261d810dca9b6a8e478d01cd4995d6 |
| SHA256 | 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e |
| SHA512 | b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17 |
C:\Users\Admin\Downloads\b.wnry
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
C:\Users\Admin\Downloads\00000000.eky
| MD5 | af2acbfbc0ff1c3fdd452e1f197e7b3c |
| SHA1 | 8be795c281c4ea15ef41ee61a69ad08af8753620 |
| SHA256 | bca05270ea536da946ee508107d40253f1af7c3192bcfea0ffec5a26005c8ca7 |
| SHA512 | 1780fc20135e8e419fb86977b27b1d3f49abc81203516d26f37ccd77a57b70b877985fc5387f51682195bc257c58a53fd3cb1fc441e61e5585979bf3e2cf3555 |
C:\Users\Admin\Downloads\@[email protected]
| MD5 | 7a2726bb6e6a79fb1d092b7f2b688af0 |
| SHA1 | b3effadce8b76aee8cd6ce2eccbb8701797468a2 |
| SHA256 | 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5 |
| SHA512 | 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d757a274fb3398bb3a0fa8f75451df55 |
| SHA1 | de5b90d59dc5ab62bd54df2df01387570d686b68 |
| SHA256 | 3a59e7e12f467b6be5123f7e3cf7e1bdb21880681172753c62f90cc14253865c |
| SHA512 | 8522f70f7cece69544c021a4cf8fd02b30c858a6e77cc31d859a96b7709dc3cbb5b7183553a0d5216eb30648057b19d14ae25c762d568ddbd7d9dddbdb34e876 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c22d728840b72dca0509a2ec80223f77 |
| SHA1 | ca5e8ce4bdddcda7235f0e5dc7a00df13d500042 |
| SHA256 | 046bdad5e6f1ff57b854a3a4d60d4d5ef870b9170257c5c2477361dda3af9bbc |
| SHA512 | 5a677b37dc2733df984509d6c6c976b4a0effe6d15fb702dadb9c878b8d4a52fefdac6ecaec668091b7be859dc8e36616e3c24561944914f844d364f9b0e68a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f7f25172a700afecceeb56d8c20ef997 |
| SHA1 | 8fea4c65364f4712a711d357c3d8b9523e2c50f2 |
| SHA256 | 94758952588c16a99d4a08481688d6792ef832d7b1be46d28b0a686fae10d7be |
| SHA512 | 2dc070053e666ac210cbf131d2e2b5d811bd1c653221c33a43dff197e6fe2cc199fbdf7129d2655420f2e3c2d3bdf4912739caffc320b424f1623b7f58dcc4fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | 48327e31f9f415f6af4cea2ad6a6e67f |
| SHA1 | a60dd3b998645528259836c361921f90b36b656d |
| SHA256 | 7e6811c41a638086063563bebf30e5fffaa5b092e8ef930f50a1a8f63857f34f |
| SHA512 | 0ca5e047d57aeb3509c0875b8c34bdf408f159e7b847f8bb51d4620d5dac04eb5ab9cf9e369defb63cfdefa0447cabc8089a13a8685f8d517e8a154b4ef50bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js
| MD5 | 1b94fbd853dd9218505066638c459815 |
| SHA1 | 3d5ac25f4ece909eebc3a0996d4c332e10c62873 |
| SHA256 | beb251f6d6213200280845f4e699f81e14c693f1f9dbce19f9afc3ede066cfb0 |
| SHA512 | b715a0f0d846631a8387f2f34fd237e9210125584547123cac178b30a792586e38fde664535f9ce1f6b1a1b6c9a8feb0e0ef8eb7ab7965b01cb716772ac4da5a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\b86e248d-9d45-4ca5-8d8a-68d339c50b37
| MD5 | 9184be0615b99ba01850d220b6df80fe |
| SHA1 | 12ccf0d920ccc8b081d4c912a9624eb029d60d93 |
| SHA256 | 01730108c113a95dd042a47252c9404a5b0e05fb78a256ef1dd54df9a52a53cd |
| SHA512 | 71015682eb205e00819a1262db4ed3e7d5f2b63dbb043ef441dae5759715834469e2288c7773d4fd9f0cbe4d4343f1c2bae3794aacd696dd9fea0ffad8f853b9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\f2ba9690-f99b-4f0e-ac6c-5001d2997ed2
| MD5 | e2c6b42df759016099f402f5c1f0d23f |
| SHA1 | 0c5dd5c0303e68493775b8ce0c00c4863528aaaa |
| SHA256 | 8c0c2840feadc93b890094025e2508b3b0657243017dce5d62dc60d824b275c6 |
| SHA512 | 3f57dcbfd1fc5efa1e7793d8b6566767c0baa80126315ed23624912d14ee6b056949d3adc52082ae251d1a034ea3e4f7e3f8183d921ea2bc85173888922bed09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\6951cf84-bf7f-4af0-82f4-7792c2e2c6d7
| MD5 | 1986f771c3f418f5312231da357fbc87 |
| SHA1 | 8382ec1b6d3c3be3aecc1d18230b4421b80d0abc |
| SHA256 | c6eddfc7de70c7ff6bb512e56fb8de52dbe2a21ed0fac76d0b1752323777c976 |
| SHA512 | 4afc3e261d9f37716f0dfbb9dae5756df0c51eeef1b22a775137f92fc0a3b9144932e189736557cb35f05e8c89c6aa24e4ca76e28d04d8543fc56f207cfdde06 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 9e9b571ceb943df839f70d23b03cc48d |
| SHA1 | d870e1099491f9f153f83c093762e8d9f11408d0 |
| SHA256 | 6d14226fe71998ee6f4f6a1e07696e6ec4918e53a863f3dbc7073aa0a8d3982d |
| SHA512 | a46b4d05683f2ceff5adb04d02c31b90280d9ab59b5aa087080439ad206802b2308c83d1a744c404c7715da0dc918a1021d4ae64f4a308675b358ef9b9dfed4b |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
| MD5 | 7d1d7e1db5d8d862de24415d9ec9aca4 |
| SHA1 | f4cdc5511c299005e775dc602e611b9c67a97c78 |
| SHA256 | ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda |
| SHA512 | 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json
| MD5 | f9f54c1c45efd0c1f4120ffb1ace89ac |
| SHA1 | 867fc0137c65eba4748c65c34b0e0e6d44326170 |
| SHA256 | 13f8c7623634a519a0c7fa9e5c47760cc12b1a1c0a64c17613d53b53795af905 |
| SHA512 | 7f16ad02e4bc7ffb0b6877306a751c50b7a85b3aac4c24fbab00e3b2f79926e403e9ee3f6a5cedb2ec1a6e18bfc31a17e67168e421757c514d43508d6f632416 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 3a75267cb660bf27a18879b089ffc3ce |
| SHA1 | be86b5dc4a43be515ed2a987bd0b74a9959afbd2 |
| SHA256 | a418f56f5ed006aa0a8b4ffa453c8682474c142233f23b4ed35fa7cfbe47d4b1 |
| SHA512 | e606bfd69def1e20febfa9404e63f7321da1592785c2abe3faafac60cdc9e81a7bd442f8e8416a685d172051824b8347dab3c80d53f138bbc01c98cbaaf585c9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js
| MD5 | 933fc806d5ec3cb75d2cb30e1b3567e2 |
| SHA1 | bc22ed9f15c86772e0e2ab28986b6e60a4888a48 |
| SHA256 | 968c9cc7d88cb3ff9446e12e5f05106e6b1b1cb22eab388ae9b2d84be88aa182 |
| SHA512 | d21ccb635883d11942ead8c1068d4d4ed361d80158a2905885fc827e6e1a75a5b08e797f911c2e45b3c5b813c99f1dd202a80f9b871d75c876d5acb3f4cd83f2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js
| MD5 | a6aa7e694d5a1af79e917efc3d3882a2 |
| SHA1 | e831be74065854601c334da18950f4f490064162 |
| SHA256 | 58cf83de5a04051bde76f919cecc37bee87cbb4e1b0ce2409d27407df1212b3e |
| SHA512 | dbb4d6e71ec53090a100a85a03e8c86fcf6f6bb9589b88838f0595135075afdfe58edd6e9d4f1a1da513e50753d9f91cd8f38723f8b476bb8967b2df289ce648 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 20a0cd267695a326bb4c85dfac0568b5 |
| SHA1 | 0ff5d03e4f52625ce6204dcd74b398c14f4652a9 |
| SHA256 | 15defdc807b3f79f68aec26f416e7a39157c054fa432637ccd4664163255e749 |
| SHA512 | 16d8e35c83813e2c9b90df595cbc97801082daf40d8b186d17a4c04aec69248c2894169f7ce4accb7d2d9d5dbbe612c53f340e4f1075a8a46d94ed11d73380ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d51ff809c13a3a8786200df9bee461c6 |
| SHA1 | 0fb181991213106daa55e4f886afe0fcf4241d74 |
| SHA256 | 946e00c2ed8232c56ba48d691321f2df1788ccc45a0f908e7c57dc82d626f0d1 |
| SHA512 | 65765026429130a5854a347b1d31ea9a5e6cd12cd14be3e83b5c620ad96c6fc73d34735fc80b8308bf5d19036525e4dbf989d395e4c45edfa179e66459b8ec4d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 956f4506231bfa76aba88e515f18b7eb |
| SHA1 | e0766b0c82086b60c880583af662b19373f91e36 |
| SHA256 | 2a5b9af12283fd873c4e4ab4fd93d13cbf94bb0701454151a96258a0d832e203 |
| SHA512 | 37fe0587a692c8638f6433a23c414ad8d84c626564deea136d942d38e611a73ab93f09dc8d95503da635ccf6dac64ff8e9b64eca409211e487ea033becc160b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cc3c72d247da5dd78bb36d79d225739c |
| SHA1 | 86330791445724f54191c7669a877ce3d47fe5d6 |
| SHA256 | 494a8a124bfdbb662c419abf7fbcd9174407f2566721ce1763e3c0722639a581 |
| SHA512 | 9c47c49dcd1358a112f2cb8a983a164b6ccc053a99c726c9b7dce7c44baddedcbe5fa20ef2c367c107abdaac014e83e38f939d6058c4df6fe30e7a0753680af1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 29813e8068f1fa08719d94c30839b7d9 |
| SHA1 | 54838964a0d33bf7b886d5fa856ceb5c539d5be4 |
| SHA256 | 5dc7b6f4e474b96bb3ae9571592659005582c0cdda42ef2e4e6d800806e9d53c |
| SHA512 | 46a1106c2c887cd49a30f29b2176d3a989fd43de89fe1e1bfee10bfef032ee92b173d97a727854c54808fa2ff8c05d44f737ba7d8ff19e831b229a961ab6befb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\extensions.json
| MD5 | c42557b3d85ef2ecc6d8efdca5464681 |
| SHA1 | c2a880afb49bd9644519cf9002ce0d128020df4c |
| SHA256 | cc716fb90a5005caa328922e855e7a75a50b1af31bc5a0c4c4269b7a48cc3f80 |
| SHA512 | 76d4a882a7fe73f018d3cc3e0e4ba2232f8516cc53f9f1fdf2c6aab8ece6cff394089c79cc831d5584179f74d178df34b44b376ac1abe17b0e79eed4456d0237 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 3dfee9133806631dd9cf089b65abb1d5 |
| SHA1 | 4fae3679e5f0e4d86075a6177cfae9805ff6eaa1 |
| SHA256 | 7a1a3a4d0ffbc4eb3b271272ec590e5536267b5e20fd7352ccdcea9345c8fe52 |
| SHA512 | ca482cfde012ab1f8429df482f4de30535d3d712966d913e819285848524681d6eed170f309fbb2d54e5593794874e3d9543e41c6a54e2bf7f224df19ab59ae7 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin
| MD5 | 5b0fc121539432bac13215a9c8676b06 |
| SHA1 | a0a9ca1fb49122f063ebba1ff1a61d4863f6ae4a |
| SHA256 | ba0b6793e660ab022e58f82424adadf7d6e4d58cee82e895b3beb55c4e7bbc6e |
| SHA512 | 9314ad3d233154a23368ff02340cdc4c61e8e8f095beb41f519df47e2a7a606370972349ec67f1968a7ee6e125d88dc392db55ec6863931f2886dcde6cfa198a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js
| MD5 | babe3c78569ce7cea30ca261c4ba55cb |
| SHA1 | 8b965cfe306470cb954c4ec7a4b87728a805c622 |
| SHA256 | 0805be989d84796442e60ce5e657cc8a3cb9110d6ec0ae5345e8cc63697f5a47 |
| SHA512 | 1b141be8db60333ba9fd759ada08e573d04b930b1a1eb9c4a407e83b90770484296c4b6d49d05f60e8d60ed788578c19d65d4f998194bc17bee68c42da8ab0cf |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f382fe7c8c90baf8c2e27a9a8db831fc |
| SHA1 | 5ac406b93c0cc7bac119f78c6c7254938ff3999f |
| SHA256 | ee69c93429fa6fb744eeb2116a730daac43c9e856aa969c30c76ba458d6a8298 |
| SHA512 | 8cee09e2ef3c18dc9b264448ff6ac81c99b396c9a334d68376b00627d9f31007a6ca8441e25f8c7519a57d420196a1e3c2ff7005ef2845ac910d6e25d942a916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b7aa73397f2ca4bd9c3e2632e31a0520 |
| SHA1 | 05260f98ab091159e714807f5af99b7a8505c3b6 |
| SHA256 | fa5d035a81c5d79d112061e24585129777451562b7c743b9fe4e0997f5194437 |
| SHA512 | b0d96ed775c2fbcce0d6c77fecbd8e4c0681af5d69bcfeae68d8cd6701108cc5de7ae22844e7f6aa742c0ac0ac12b095b35b020bd227f87b3cf58dcda2c47f0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5e8da7.TMP
| MD5 | 34489edfdac909b471c60b693a120987 |
| SHA1 | bd642494d42b390df37c7e074edf2a59e0203945 |
| SHA256 | 9d33b064ae71115047a75f7205a5bd0052903de50652252440bbc7ec1f5b94f1 |
| SHA512 | f2c010838d144453480ba59e822ae27eb595afa168890350bcbc320dccb3b24f73e7696b09d9fd3dea7cb5b0ffc70f635437a2269e242bc3d90c1985d0c24e34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a08783ba0b3da6ed4b6062dcca0f7e36 |
| SHA1 | 59d2d56a46b0676ffb4734ddaca640a1628ca849 |
| SHA256 | 6511b4eee0d2ce4a27588d055d0b6c028e653d7f76de14926bb2b37d685405e2 |
| SHA512 | 0629cb6e6c367058010ed8e1ea0c5aee5c4afa911239cf79ffd6bb8be94b46bb4107dd6595c7d140526d7a9dce53933a0aca887956fd95d93280ba5e380f98e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 36904b61e3c9d9a99522c8d2ed451d4c |
| SHA1 | 86d2376659918e58596282f55e920ce52c4bc944 |
| SHA256 | 6111e39977e9d4bb5abb5b01bb529184e8f6f9e7cecc180c5026f2f112401a17 |
| SHA512 | 899932c2688d6d583ebf0930beda570f917140488cedbd2b01d2fd75bbd4e1a27512e2e9f0c6449ce47c46faa251367b1b166bbb7450b88305aa56fea4eba494 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6f41e973333aed3e5d1efa44ec05216e |
| SHA1 | 6a321ff78fe5d8b9c1559a1e5cf8dc5dafd08e88 |
| SHA256 | 38f7fd2ca65fc25b114ddac5adfff3b0a812cb53b3052c67cba4d41f49ba6600 |
| SHA512 | 68c1e13955b4694c8f39cf6dcefd24d10da50d161edae4904a87726da627e2a6f9dd5b659febbdf631c0c055d9e7f0bf84bee06c97a50af0a9835db2ae86e18c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eab3285fac0001adca66c32f4ed49133 |
| SHA1 | adc98c3ae8620fbdb67105a0393007b203c0c3be |
| SHA256 | 9f9eebabaf8383d18db97012788d9549f7ec40886acd924006ac964be07d685e |
| SHA512 | 13d080a70e3fb43f1a6bc2890b08a2d3753965001967bbd49313cdbc0aa49f406ea7a274ad39e0b6ba27caa40c4a1315861454a827a71008745fe9041ae971a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7d74239f071433a36a2c0eb34117cba0 |
| SHA1 | d9fdb4171900fb5cbcbcb8965cb4aa76542fbb1a |
| SHA256 | 4ea52a83e9f3a139fa6ab2816d42aeed9b44d39accde461405047f72466f4304 |
| SHA512 | b19f047fc8c095163c6147188734b777236786679ebb0f7820ae2a73791da4da8774a60d8163737e520aa264e6ae4dbfc3ebc346c3d2290448e56eb307da46e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 20de9fe99b0212489f21d040e9a25ef9 |
| SHA1 | 0d8a9750ac4a2f3f493d36dc105509a69c4cf3f1 |
| SHA256 | 8c27df0f0ff312fa7a6a266249910f9efa9ec572df32afe5b64341ed2023e015 |
| SHA512 | 500219503b55bb5a5e231a98b35205d589fbeb99a52b8f213d4144f45d3e3a068402bc3635701c73b82f4de0e1b42b5649e368d9400b0525f84a5232a756476e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3e74442bcff1ad6ab2a7a5258a8a72f1 |
| SHA1 | a38d2d1deb6c6c8cbc0f13c2216403899feca36e |
| SHA256 | 3353c0d592ef1507879e11e1b26335c406b0df09ca1ed8fc88103b5ef4eaf91b |
| SHA512 | cfff8e46c6f310fad9c44398d12a947810a8dcd8fb4f523e8a4924a0e2c93e9d3bb87e3f1415077da3fed485a9a1883ca2ca4bce866a89468123a61498f2b3df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
| MD5 | e33faed1fd92967a8aa6655e6096964f |
| SHA1 | 6574cc2124cb946b13d6e9d4b59e5a642818bbf6 |
| SHA256 | adb91e2604728d67c7b682816c4063fceb8f7531d66fa8288dc33cd7b7acc0c6 |
| SHA512 | 624fc061a57d79f8e16b1f1cd1934fba44c0ae7f2d7dcb2745e3ca6a9285adb1f4c546a0a8c2459bbd195cca7b28bb4317e1547fe9737226ad884acca5dec319 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e
| MD5 | 1618fa09264c877aa3e5ffebd3f39acf |
| SHA1 | c013865466ccfe4c871cde5c5ff38dfaf3bf3c6e |
| SHA256 | e7c030a160a4e78524977bbdb0e02745e00e8d3cd63cbbbfc83cfd59ac66bb19 |
| SHA512 | bed04b251850c283966aa0d720dea5c0b804c22429988a026e072abca63c349d6d3255869161fa432f62ce5d9fcdd06a2132e4f7d9a57165e0fc01e0fca344cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
| MD5 | 15cbcae38534536bd9b4340b5e65a272 |
| SHA1 | 4520b28887abcb1413b532af6e78d7813deecd49 |
| SHA256 | 3b2fee49b6e76a1aec319c332aceaa8f7c7e01462508fb7995aab9741d1cf01c |
| SHA512 | fc44d4c9779f59c1a71019c00ae91e373f780b83517e2b6a8a5241ccc74888fc3b009d5466605182981b588dd3740fa004f971f25bda495d6735f4012fbadc17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035
| MD5 | 39c19c6eaf43544e607d370d220aaf10 |
| SHA1 | 3964267711dc71bd93427f68bef35ee30b2eda1c |
| SHA256 | f02a397a15b22676dcd93a2a2ef2ebe861b765c7cd07c12479e5cf676e153c10 |
| SHA512 | 9a0ac7db4ac0b8da01a79515780d2eb18ba1c4e7b103fe6bff3414364e7973f46d064eabf5ef617f1dee9519b3454da22c49f74ae3752cc8064f7c23076d8f6c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f0e7f60d645dbd032ef652ed7683fdd9 |
| SHA1 | cdfd4c05e04e8248b244296a17408e8b4b37236f |
| SHA256 | 40428f4a14267e3aacb91698c46afc6e661fb6adaa88c7f789465c30b97b77e8 |
| SHA512 | 5ca391ff849f8c3512a6bfd7ef059d8602fe54ee3f00e1d20238cad1762bb6c0a8d9c6ceaebc9b9ceb02bf56c6786133daa0c14264e0c2ce72ab66a78c3ebc0b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bfc96b2de3301915ab1a186dbf63db3a |
| SHA1 | 7752ebdef341c5057f820b251b5325bbdc6b2604 |
| SHA256 | d9de8d608bb2638ebb83e17a67170c7ad826a5bf1204231f352c70d2d9fc7743 |
| SHA512 | 85fa1eeeda2d6270250071963d82475bb5d68bc6601e4058ae34906d22905e196a39c2cb696e05eaf5d4fae33da3b8b807d5f734feecff62d35f39ee01a8ba76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1831b89c76485a1e12ff70e6c8910546 |
| SHA1 | 1b8436d2c23b5256c1e7ea87bd5efb73a6d6e470 |
| SHA256 | ad7ce1ed8a85ab477f42a1f2b4b2cbb7edcede90fc174acf3a8bb83cd4d43821 |
| SHA512 | 278a92137e84db0c6ebbad8aaa621a0b5989ffdf395a289f3a3822b5a9f81a53efb058b6ae97be2884ae6a00bb5f6f83df2c5d158ddbd226e3e1099076c183a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1e4b5d9add0557be062e7cc25d79e01e |
| SHA1 | 1122bfc6bff8a47e771c12866e0f211f9c3439e2 |
| SHA256 | 0d7280411d4ee77d049cbfe160618c68df90ea89ed4a8ab61bcc6d70feb6bb15 |
| SHA512 | e833ed823d35121bef463cc35d2ee10fd240950e6fa583d0ff65976a69414140a72f73be219ed4e165cb014758181706a40b4ff2d529f9a5b669e9abdd7aaa10 |
C:\Users\Admin\Downloads\Unconfirmed 277192.crdownload
| MD5 | 63210f8f1dde6c40a7f3643ccf0ff313 |
| SHA1 | 57edd72391d710d71bead504d44389d0462ccec9 |
| SHA256 | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f |
| SHA512 | 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ba71416feef3be0733c7bca6702eb346 |
| SHA1 | adee6838363012304251a22cf1a5ba21ee754bb1 |
| SHA256 | e2b6829d271234c0265212f8d2cc8d96010897e0fb99237eb01b30ad986c2a4a |
| SHA512 | a3ab8d369a8e9d117a914b0727bcafe385160847c1dfd1a27a9bc7096afe8477f28724012c2720b3b2ff5e1064594b110d5648c6a60182bd2c1180323ce2ba2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f10392096b40bd37e9d95cb63da7e225 |
| SHA1 | 4978fdd5ba0a7000dcdf0d77fad4f797fb39bc90 |
| SHA256 | 2f3459330966b31c5cc10e68d6e1683a94f2e1844fd29f029a4f48d9991a0581 |
| SHA512 | 50e306e0c5129e6b2aca3e0932dc9f7f232e60d23168782492a5fa74c5d29e79cc0658d58ef0fe31a05284d1fe65a433ae1288d1e4319c4151ec41b6b8423558 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 9b8a184f089c0bc7061520ca85cf4735 |
| SHA1 | d195b50a2b1f57c53b23f711b46e7470e690736e |
| SHA256 | b491585934b1f67024c08c1fc256c39d176941218bf9e41055326c1d62f6d98b |
| SHA512 | 63e4766b9b2407c8e698bc9cae7455ea0a9df280c46a34f1a06f7e3b7c0a5e80bbc60abae56998345a4ec231911f3874db6d6274047e4e6d5af5343ff56f7cfd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1cc27937b5b78fb75babe65ffc61c0d9 |
| SHA1 | 00eec5023c42f9330f4321807608f0674b306732 |
| SHA256 | bc868846988dd7fa627b062262553a492b5e7dde9d9ca4b148d6f738036f6584 |
| SHA512 | 38a4d3a19009c53cd64b7a1ddfcee1d1b5c59332f1e69bec00c72694e3e8f9dacc1ca32aeb9097ce3a407ac45ddbbe6d445baa55f8909c929d11f585e158824c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8b0f77157df70327f253f484d97bbd81 |
| SHA1 | 71b0b4adb06502c12f89073d939e30b321abd8eb |
| SHA256 | 0117fa7eb8c71d782ff1a20a461c3c187e1663c33c6503188aef7982db90a535 |
| SHA512 | 6ec95ec097b4f712dbcbdbd1d053ec8af49ad1ebe2776d1eba419b1f081233708c12f0bacc793ef38368ca4798e1a8454fcd1a2b383893459cb356c0d6daa5c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c779251b4a8435fa46e67cd4a5d918a9 |
| SHA1 | 7aea03a7556f1ad6e47d8db0c84d480dd2322224 |
| SHA256 | 98b0406a05a65e032a76682ec63fa95556726144b597be42a3c9a7a8fd362da3 |
| SHA512 | e7e91872be4153a24ef3af7d77f9f5b4f48ffc00ea8450a2a0d336320c51108907ea8320a7058dc39b7c977d58ffc26943bc65138b8ea5dbb4bcf70f99f2c1d2 |
memory/5424-3900-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/5424-3901-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/5424-3902-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/5424-3904-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c7286d744638afc108401f0105ef47d0 |
| SHA1 | 6a54bc87d4e210649bd5c694afd76aff3ba1bcd7 |
| SHA256 | 6de37b75cca4fb4b4bd6ac04ebdd1d3aa2463f72183b445d6ee907a7825872a5 |
| SHA512 | 2b680a55b3ca5daa3f74cb00f30d23e08f88740471722f41f77ae90990e02657ad82b28f1371952af3debabf8c37ca974a8255caf5981a2d808df0fd447b49f0 |
memory/4100-3921-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4100-3922-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/5424-3927-0x0000000000400000-0x00000000005DE000-memory.dmp
memory/4100-3928-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 795f517076b655527d9bd07af9f55724 |
| SHA1 | 89dbdf0b5f51a69b8d89935e0a5eb940ad3309df |
| SHA256 | a22894e73230331388d6cda22a59968169455dfeb5172f842fbd75756cf41a9d |
| SHA512 | 679169aa0587a6d4356840e9d6d3ea720dfbf2b57478b47d17df5465eb929a4a3335bcbdbf6f91b62e008241be008bd0eb24d7fed173f293e96a7bb8023b22a2 |
memory/5424-3950-0x0000000000400000-0x00000000005DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a
| MD5 | 5009982b60a0f93eac4c1728e5ca17e2 |
| SHA1 | c0f932d333b91a4b971a52ce88bc96320745064f |
| SHA256 | 2ffc0ec332938cbce14008ab246c3d918800189aece932e92bedd8adb8332fe8 |
| SHA512 | 401dd0a45c177130628787b92a17642783d27b1a977833af4110d81cbf2572a159a371beb473baa07ad38ac8297551aadadd2ebb80401a73acd580fdc03964aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039
| MD5 | 9196e81f8ed7f223d765423c1f9bc8a7 |
| SHA1 | 88f9d5c2a6908cf36b8daae803578ca9e1fd2929 |
| SHA256 | a4e2bcf7ef3c6c614c2142d3c1fd44caac4eafa86a1779ac31cba164e2d89cbe |
| SHA512 | e7d23866fcac017762d2e2f18597124e9147f458d30038f78ba9f3a2bcbe479fe4792573894370ce2d6f93a00401231d9f01955fde351ff982a82ba87a8241f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ac3070bf987e3b507675143b95f4523a |
| SHA1 | df9903ee55bda080c94706862275e99dc1338911 |
| SHA256 | 0a998d4bf94b256cdbc326fee7aad765d3ec9866077c7c6c701b10ee08e89444 |
| SHA512 | 138bacc44ad59b4ce7761257b8225ed52cb003225c680ba034127023e93a158e9186afb7e978011a907b9c7d4f299e6f14093d58f868be940444d53d2a3d4873 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | f7a61cc988c4e55e366963ed20dacdb6 |
| SHA1 | f0727eb9ede1f2a20f8b01a0ee00832894ed4e3a |
| SHA256 | ad711a5b2e38e46e184db3a7eef192feb694aa00f961fcf0b58e479db6edfd3f |
| SHA512 | 6d3c4a4e5ff99e578bc67af1bc672207efd4051e341bf9a4676d6b2e6e3be6d6fc117033f2f7c65bb54bc94a30005b620c50067b9f6f9479461998c70c9042a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d5b99fe962bd46556ef03748d79790b1 |
| SHA1 | 5ea60eaaa452a5a7b156e46a78123e40a6aa58ab |
| SHA256 | 2baf303c53a30714b5d3222f70c3b8cdc97f549809231bd1c07fa1a6f0188ee6 |
| SHA512 | a5be45da195a332c562aaa32e8ab6b0bb9f54dba3d9e6bef418fbe69d4d7e1aeeb975e4f2d0014d5a331b3899d367b40d5a4594bca8a6e306b0fd44a83efb686 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 36d652ddc4d0aa2ea6f99dab56889458 |
| SHA1 | 4f35cbcbcd956060729c02890aa8a0dae24ab794 |
| SHA256 | 130ba9c30006c77faab1e67559363ed2a7804337f57b0e1aa9ddeddfacfea42d |
| SHA512 | 0f38a6397b290d4a56823d85f2e78fffd9928c3df85ca3e6878be553c9043019afb1511a90b9bb7c0dee7d0ddb6c02ead71137b6fac1b1338bec18fc514c614a |
memory/2736-4058-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 4fc2146150fec86b209458aba1056508 |
| SHA1 | 08d169ceda2b0a45f044ffa7796c767ac0b2a8f2 |
| SHA256 | b688a7d1d1699cda02b97b559dea306dfd7f9f9ca2b5ca3843237e561268c0b3 |
| SHA512 | a1bf436adcd0bb9e909048d70bec1b359ef141147077d2c9f134d4f2dd2b7cbe729858c5c4060132e34b59694d63905620dc2e55d58f3fa38d48a019e3b04e28 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id-A86C441F.[[email protected]].ncov
| MD5 | 68d9b9c086830c468ab309d94ef74783 |
| SHA1 | 7d8fcb2b84baa1d35b6fb12892aa8faca4151c28 |
| SHA256 | dd77f92b3a25c83fe420ac094b5d5dcb646c54101dbb4e818599d12b057e9507 |
| SHA512 | 9c68af6ffef146a0f8e0ebe94433b73cb77648b00b5d84e805d4dde7ce04e20b1e0efdd2abadcf5822418d0394579a670b4b02b90a36a8b193af042d629bb0dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5a1a2a16ae2d4502c8cec3eb2afe5cb0 |
| SHA1 | d12968d0aa7d6cb725b97a8c7110a8a245a9a653 |
| SHA256 | 634d441d01600ea244ebce8a6b4d3e5ed1db677c45ba5ffc938d02f7ecb7b8bf |
| SHA512 | 1512b3d29ef8bf726df0e5fa81a95dde93d70328e1c747b2d1c4092a6fc4e9aba7219ceb9778a4c00190119b97b1cce9bc56a7e52a86e4ea041fedb5ee99f898 |
C:\Users\Admin\Downloads\Unconfirmed 412718.crdownload
| MD5 | cce284cab135d9c0a2a64a7caec09107 |
| SHA1 | e4b8f4b6cab18b9748f83e9fffd275ef5276199e |
| SHA256 | 18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9 |
| SHA512 | c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d3166d12af7b03dcf57cec5726ad2575 |
| SHA1 | 8115e0841656a98228a4e86d21d04aa45c2c7932 |
| SHA256 | 46df1de7f19d2ac928b512e5be1b0df5f6e45d02ad6dfb60a4374d749490af19 |
| SHA512 | d109a4b4bd80c4717388a65990e8c48cbf2e4c19576d511d21602e5b441d278f35e4e0ad36bda17654c793624ef6891b63938e9bd1b0259198a30a80992b2938 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61d7b2.TMP
| MD5 | c1891f1c6bff4b527edc8a04d3450658 |
| SHA1 | 6e040f95db64968d70a8f48bdcbb4347ff186c73 |
| SHA256 | 20593105debf4bb484b9b6e0040c0da0cda020cac217ee18e538f4367a467508 |
| SHA512 | 2ac78492ee693c26eeeb7814f6975dec0d22e5e9220410c6d685becbcc7dd8a9ca0afce3ed93862d8707a626903258b894b527984242993a98ffcfd23817bdb9 |
C:\Users\Admin\Downloads\Unconfirmed 423497.crdownload
| MD5 | 1535aa21451192109b86be9bcc7c4345 |
| SHA1 | 1af211c686c4d4bf0239ed6620358a19691cf88c |
| SHA256 | 4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6 |
| SHA512 | 1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0877483bad7af3986ebd7cf53ce680a9 |
| SHA1 | aa21ac6f97560cca7b005b6d245348f55108233b |
| SHA256 | beab9e210d774b7fae1514cbc0073c2277ce08ca9ebf1be128ec55f34ac50c3a |
| SHA512 | ef8bea338f0212aa306824e9611257f932b7206f411c268cf47cf71d2f7426ed133770e139e17d58b6b3cc1ff1ac488620624ec79b0284c7e7a26083e8de1abf |
C:\Users\Admin\Downloads\Unconfirmed 92714.crdownload
| MD5 | 60fabd1a2509b59831876d5e2aa71a6b |
| SHA1 | 8b91f3c4f721cb04cc4974fc91056f397ae78faa |
| SHA256 | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838 |
| SHA512 | 3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
| MD5 | ac04cef26c4bdbe54177eaca0d05bde4 |
| SHA1 | e4ef8673d6ad499a9ccd827b76d6fba1bd659140 |
| SHA256 | 71645bbcdcf505bea2cefeb59b3906dc556114132f42b39039592d12d59649e9 |
| SHA512 | 94097c6e74b1a44c9f9c711ea2c6d1689df58c2b86512bfa34708dcd863ca9b4d2fff88f34c4c55767ae168c5d4493bc57d6e8b67416f1a2f2d01ae9c81160b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 236babef91912701d84b1c84a94acc17 |
| SHA1 | 3fa556912154f8f6f18c7c68c623d3d94ec288bf |
| SHA256 | 2a5ef13de8b0c8c7abf63bae3e6a7a8d22e544e00776e5bf8ae471e33f675eb1 |
| SHA512 | 9b1aa1fd275dd89b3816de8c6ec877057fd68653252ae65e46b8e5dfe02366e08b9ab5f593c9c15f4d3ef1e70225ee9e6e1f7fbfbef36e3b25e60774a5ce6801 |
C:\Users\Admin\Downloads\Unconfirmed 63757.crdownload
| MD5 | f2b7074e1543720a9a98fda660e02688 |
| SHA1 | 1029492c1a12789d8af78d54adcb921e24b9e5ca |
| SHA256 | 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966 |
| SHA512 | 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 48513f60cf1d4e652fa575b6852d569d |
| SHA1 | b8f1dca6f46c2ed02c831d809681c7104ab4f2c9 |
| SHA256 | 0d3bdea3ed1ad8b28b7388592fc2f24400954ba33dd3fde4367845293ec3f0ad |
| SHA512 | 28d8e53b87ac0d0888f8a8145e029d8a05a7fc227f6244e1dcc5d1fed19c2623c217ca326eff91175b2402ed75f788b80ca6dc167f3f0b40ca748f1c7b70ca8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 262851632c0b990478c8d492856140f8 |
| SHA1 | e4abf10dee41d262e638aab135f840bff592b814 |
| SHA256 | d14896e866617362ea9e2699769f6ba101b668ceb09eb0b26357a222ad0f20fb |
| SHA512 | 7c2d461b227004e1718c617270c04189c2a34c964a7e591c989cfd946adb61e7ec61bfa745540543a725f36ccc5d38211797785fcc7fca52d1869930696d527a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 113889ea39f19d04d6ee25920180ea77 |
| SHA1 | 37043875df1d3e3d89596fc03067bf569737e107 |
| SHA256 | 9dfe54ee8a792987a9db5e0013c5010fbf061f0cc5afce78c5d677b29b46a5b2 |
| SHA512 | cdbe992ab4b11d01ab5599631c9444b7067ecbb8093efe8f7ad46654e086e474519aba04a22ea17806cafd779d735b7c2aa8ab4b58b0067774dbf32c49ae4f40 |
memory/2736-24587-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
| MD5 | 81aab57e0ef37ddff02d0106ced6b91e |
| SHA1 | 6e3895b350ef1545902bd23e7162dfce4c64e029 |
| SHA256 | a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287 |
| SHA512 | a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a9093629b9d6ecc844e34528effc9447 |
| SHA1 | b45754c9c6e3ce17deb24e61a10e0edd9a46d339 |
| SHA256 | 35913d0a577f245ccf9b201873636d46c27a67b5aa14222d847ac56a6f9beb2e |
| SHA512 | 65242778f88353b13e6a418b16dbc97f00bb9a07c33a1751c1d73ed32d3f55997737bf3a4310b963134e04f2d80ca7416197bd85afdde3ab41549c9c7bb188f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 540f74d6e960643069cdc4daf59f0a95 |
| SHA1 | ca4615a14a86ffd6684ec38918a4270f151caeb2 |
| SHA256 | 54887a33a5d612dc1e6fa7ab42ab93245f89a5551b81a1bd2fe42d27e0924701 |
| SHA512 | 0bfe5a6c181f4a474b9f81b2f710eb2a348178ead0f053a3f06ba72e8cb1ed6b1fc7d98abba80dd3d5c60ea1ceeda4469614a0f37a7b841f35227b9633debdb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 49584bdc2d1ecd442e7911ae926b67bd |
| SHA1 | cf00197bc0f21fe5cdd01b11dd0feb20e34479b6 |
| SHA256 | d500bb4e3beff75d8d5342fb413e69dd6d1283c899196fd1825b97f65513fbef |
| SHA512 | 55f89f426ae32a82b6eabb33c7eb0c43f83a1a64819c3a78c970bd774858716a4f7d54556a8a1d5f75291012c56596c1b46513773b333a5b9637f4d1dca09e09 |
memory/21824-24797-0x0000000000550000-0x0000000000BFE000-memory.dmp
memory/21824-24798-0x0000000006610000-0x0000000006BB6000-memory.dmp
memory/21824-24807-0x000000000BC80000-0x000000000BC8E000-memory.dmp
memory/21824-24806-0x000000000BCC0000-0x000000000BCF8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 50c09f2694e2b571c60486cfdfd372e9 |
| SHA1 | 0953b665ee3eba86cec45fdb81124148bcfbbaa1 |
| SHA256 | 31f766c92ddc5473412316d09d7bea0297392e33f2acdeec7f53d1a4b7f690b2 |
| SHA512 | ddd3a0e8032547cb835e831b9f4d7259d5211d72b2ecb724b4fb7c91db35995e2488d8e60500a76a6fc47e789145cfa60452891835e9289c1e0fa35a0956be27 |
C:\Users\Admin\AppData\Local\Temp\v.mp4
| MD5 | d2774b188ab5dde3e2df5033a676a0b4 |
| SHA1 | 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc |
| SHA256 | 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443 |
| SHA512 | 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionCheckpoints.json.tmp
| MD5 | e6c20f53d6714067f2b49d0e9ba8030e |
| SHA1 | f516dc1084cdd8302b3e7f7167b905e603b6f04f |
| SHA256 | 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092 |
| SHA512 | 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf |