wannacry | 0d3640ab26280297ecd40c7807f0c420fe376e3d32b59052279eb13a8fc9a7c4

Resubmissions

18-12-2024 17:08

241218-vnm4hswrdq 3

18-12-2024 16:37

241218-t4ydrawmdr 10

Analysis

max time kernel
1487s
max time network
1648s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-12-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

267KB
MD5

79c71a1177718da362083128aeddd237
SHA1

1496d4219e4266d0c609c93595c47d55a3fe375d
SHA256

0d3640ab26280297ecd40c7807f0c420fe376e3d32b59052279eb13a8fc9a7c4
SHA512

801244cd6d4a407d8c886803f5668ce1aaefec59d9f8c13a6a95654db847154419c8debe688f79248f218015ae7941f32bb4a7fc8830f607c2207bdabf3078ec
SSDEEP

3072:Rm/iwlwEq6DxoZw1ImA2l/R/h4w0yYGO0wImgrAwtN+Tl/j6q:Rm/j7jDxoZ2ImvRn0xGiITK6q

Score

10^/10

wannacry aspackv2 google defense_evasion discovery execution impact persistence phishing ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (15294) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x001d00000002acaa-3433.dat	aspack_v212_v242
behavioral1/files/0x000d000000026013-3709.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD13D3.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD13DA.tmp	WannaCry.exe

Executes dropped EXE 19 IoCs

pid	Process
4720	Xyeta.exe
4556	Xyeta.exe
1524	WannaCry.exe
2020	!WannaDecryptor!.exe
3488	!WannaDecryptor!.exe
3208	!WannaDecryptor!.exe
4980	!WannaDecryptor!.exe
1836	satan.exe
1684	satan.exe
4820	nati.exe
2928	nati.exe
4256	ScreenScrew.exe
1864	ScreenScrew.exe
3732	ScreenScrew.exe
1624	ScreenScrew.exe
4572	ScreenScrew.exe
932	ScreenScrew.exe
1368	Popup.exe
5440	Vista.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\{B42C539C-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Ozbes\\nati.exe"	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OISOJQVMMGZNYELCLEG = "C:\\Windows\\System32\\OISOJQVMMGZNYELCLEG.Txt.Vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\OISOJQVMMGZNYELCLEG = "C:\\Windows\\OISOJQVMMGZNYELCLEG.Txt.Vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KEOJFMRIICVIUAH = "C:\\Windows\\System32\\KEOJFMRIICVIUAH.Htm.Vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\KEOJFMRIICVIUAH = "C:\\Windows\\KEOJFMRIICVIUAH.Htm.Vbs"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
99	raw.githubusercontent.com
2	raw.githubusercontent.com
12	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
91	raw.githubusercontent.com

Detected potential entity reuse from brand GOOGLE.
phishing google

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\OISOJQVMMGZNYELCLEG.Txt.Vbs\:Zone.Identifier:$DATA	WScript.exe
File created	C:\Windows\System32\.Txt.Vbs	WScript.exe
File created	C:\Windows\System32\KEOJFMRIICVIUAH.Htm.Vbs	WScript.exe
File opened for modification	C:\Windows\System32\KEOJFMRIICVIUAH.Htm.Vbs	WScript.exe
File created	C:\Windows\System32\KEOJFMRIICVIUAH.Htm.Vbs\:Zone.Identifier:$DATA	WScript.exe
File created	C:\Windows\System32\.Mdb.Vbs	WScript.exe
File created	C:\Windows\System32\OISOJQVMMGZNYELCLEG.Txt.Vbs	WScript.exe
File created	C:\Windows\System32\OISOJQVMMGZNYELCLEG.Txt.Vbs\:SmartScreen:$DATA	WScript.exe
File created	C:\Windows\System32\KEOJFMRIICVIUAH.Htm.Vbs\:SmartScreen:$DATA	WScript.exe
File opened for modification	C:\Windows\System32\OISOJQVMMGZNYELCLEG.Txt.Vbs	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

pid	Process
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE
3356	Explorer.EXE
2928	nati.exe
2928	nati.exe
2928	nati.exe
2928	nati.exe
2928	nati.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3484	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
6028	msedge.exe
6028	msedge.exe
6028	msedge.exe
6028	msedge.exe
5208	WScript.exe
5208	WScript.exe
5208	WScript.exe
5208	WScript.exe
5476	WScript.exe
5476	WScript.exe
5476	WScript.exe
5476	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 1684	1836	satan.exe	182
PID 4820 set thread context of 2928	4820	nati.exe	186

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000024dc5-1412.dat	upx
behavioral1/memory/4720-1528-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4720-1529-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4556-1597-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/4556-1599-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SplashScreen.scale-100_contrast-white.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-48.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreStoreLogo.scale-100.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30.png.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-20_altform-lightunplated.png.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.Vbs	WScript.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.Vbs.Vbs	WScript.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.Vbs	WScript.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-125.png.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.Vbs.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO40UIRES.DLL.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-256_altform-unplated_contrast-white.png.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-16.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-200_contrast-black.png.Vbs	WScript.exe
File created	C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui.Vbs.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.Vbs	WScript.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\AppxManifest.xml.Vbs	WScript.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.Format.ps1xml.Vbs	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-48_altform-unplated.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-us\msointl30_winrt.dll.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-32_altform-lightunplated.png.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\HxOutlook.ViewModel.dll.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-30.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png.Vbs	WScript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\BaseComponent.js.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Microsoft.Apps.Stubs.winmd.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\AppxSignature.p7x.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.Vbs	WScript.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.Vbs	WScript.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\GetHelpSmallTile.scale-125_contrast-black.png.Vbs	WScript.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-40_altform-unplated.png.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.dll.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-80_altform-lightunplated.png.Vbs	WScript.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contact_us_3people.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-20.png.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\LensSDK\Assets\ThirdPartyNotices\ThirdPartyNotices.html.Vbs	WScript.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.Vbs.Vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-16_contrast-white.png.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationTypes.resources.dll.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.Vbs.Vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.Vbs.Vbs	WScript.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.Vbs	WScript.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\OISOJQVMMGZNYELCLEG.Txt.Vbs\:SmartScreen:$DATA	WScript.exe
File created	C:\Windows\OISOJQVMMGZNYELCLEG.Txt.Vbs\:Zone.Identifier:$DATA	WScript.exe
File created	C:\Windows\KEOJFMRIICVIUAH.Htm.Vbs	WScript.exe
File created	C:\Windows\KEOJFMRIICVIUAH.Htm.Vbs\:SmartScreen:$DATA	WScript.exe
File created	C:\Windows\KEOJFMRIICVIUAH.Htm.Vbs\:Zone.Identifier:$DATA	WScript.exe
File created	C:\Windows\OISOJQVMMGZNYELCLEG.Txt.Vbs	WScript.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Vista.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\satan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ScreenScrew.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Popup.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3376	4720	WerFault.exe	140
5024	4556	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vista.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xyeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1320	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4212	taskkill.exe
464	taskkill.exe
3608	taskkill.exe
4564	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\.idb\ = "idb_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\idb_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\idb_auto_file\shell\Read\command	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\Registry\User\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\NotificationData	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\idb_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\idb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\idb_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe

NTFS ADS 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 657746.crdownload:SmartScreen	msedge.exe
File created	C:\Windows\OISOJQVMMGZNYELCLEG.Txt.Vbs\:SmartScreen:$DATA	WScript.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 27112.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vista.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MYDOOM (2).idb:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 215902.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 100027.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 62739.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MYDOOM (1).idb:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 741448.crdownload:SmartScreen	msedge.exe
File created	C:\Windows\KEOJFMRIICVIUAH.Htm.Vbs\:SmartScreen:$DATA	WScript.exe
File opened for modification	C:\Users\Admin\Downloads\MYDOOM.idb:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\download.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 995982.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 887141.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ScreenScrew.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 892033.crdownload:SmartScreen	msedge.exe
File created	C:\Windows\KEOJFMRIICVIUAH.Htm.Vbs\:Zone.Identifier:$DATA	WScript.exe
File opened for modification	C:\Users\Admin\Downloads\MYDOOM (3).idb:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 207233.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 954792.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\satan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 192543.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Popup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NewLove.vbs:Zone.Identifier	msedge.exe
File created	C:\Windows\OISOJQVMMGZNYELCLEG.Txt.Vbs\:Zone.Identifier:$DATA	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
4896	msedge.exe
4896	msedge.exe
1624	msedge.exe
1624	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe
1640	msedge.exe
1640	msedge.exe
5088	msedge.exe
5088	msedge.exe
1112	msedge.exe
1112	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2084	msedge.exe
2084	msedge.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4668	msedge.exe
4668	msedge.exe
1172	msedge.exe
1172	msedge.exe
3844	msedge.exe
3844	msedge.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe
1836	satan.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1176	OpenWith.exe
3356	Explorer.EXE
4896	msedge.exe
1368	Popup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1016	WMIC.exe
Token: SeSecurityPrivilege	1016	WMIC.exe
Token: SeTakeOwnershipPrivilege	1016	WMIC.exe
Token: SeLoadDriverPrivilege	1016	WMIC.exe
Token: SeSystemProfilePrivilege	1016	WMIC.exe
Token: SeSystemtimePrivilege	1016	WMIC.exe
Token: SeProfSingleProcessPrivilege	1016	WMIC.exe
Token: SeIncBasePriorityPrivilege	1016	WMIC.exe
Token: SeCreatePagefilePrivilege	1016	WMIC.exe
Token: SeBackupPrivilege	1016	WMIC.exe
Token: SeRestorePrivilege	1016	WMIC.exe
Token: SeShutdownPrivilege	1016	WMIC.exe
Token: SeDebugPrivilege	1016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1016	WMIC.exe
Token: SeRemoteShutdownPrivilege	1016	WMIC.exe
Token: SeUndockPrivilege	1016	WMIC.exe
Token: SeManageVolumePrivilege	1016	WMIC.exe
Token: 33	1016	WMIC.exe
Token: 34	1016	WMIC.exe
Token: 35	1016	WMIC.exe
Token: 36	1016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1016	WMIC.exe
Token: SeSecurityPrivilege	1016	WMIC.exe
Token: SeTakeOwnershipPrivilege	1016	WMIC.exe
Token: SeLoadDriverPrivilege	1016	WMIC.exe
Token: SeSystemProfilePrivilege	1016	WMIC.exe
Token: SeSystemtimePrivilege	1016	WMIC.exe
Token: SeProfSingleProcessPrivilege	1016	WMIC.exe
Token: SeIncBasePriorityPrivilege	1016	WMIC.exe
Token: SeCreatePagefilePrivilege	1016	WMIC.exe
Token: SeBackupPrivilege	1016	WMIC.exe
Token: SeRestorePrivilege	1016	WMIC.exe
Token: SeShutdownPrivilege	1016	WMIC.exe
Token: SeDebugPrivilege	1016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1016	WMIC.exe
Token: SeRemoteShutdownPrivilege	1016	WMIC.exe
Token: SeUndockPrivilege	1016	WMIC.exe
Token: SeManageVolumePrivilege	1016	WMIC.exe
Token: 33	1016	WMIC.exe
Token: 34	1016	WMIC.exe
Token: 35	1016	WMIC.exe
Token: 36	1016	WMIC.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE
Token: SeCreatePagefilePrivilege	3356	Explorer.EXE
Token: SeShutdownPrivilege	3356	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4620	AcroRd32.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1368	AcroRd32.exe
1368	AcroRd32.exe
1368	AcroRd32.exe
1368	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
4620	AcroRd32.exe
2020	!WannaDecryptor!.exe
2020	!WannaDecryptor!.exe
3488	!WannaDecryptor!.exe
3488	!WannaDecryptor!.exe
3208	!WannaDecryptor!.exe
3208	!WannaDecryptor!.exe
4980	!WannaDecryptor!.exe
4980	!WannaDecryptor!.exe
652	Conhost.exe
3484	msedge.exe
1368	Popup.exe
3356	Explorer.EXE
3356	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3448	4896	msedge.exe	79
PID 4896 wrote to memory of 3448	4896	msedge.exe	79
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 2936	4896	msedge.exe	80
PID 4896 wrote to memory of 4408	4896	msedge.exe	81
PID 4896 wrote to memory of 4408	4896	msedge.exe	81
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82
PID 4896 wrote to memory of 3120	4896	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2776

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd8
    3⤵
    PID:3448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
    3⤵
    PID:2936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
    3⤵
    PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1624
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
    3⤵
    PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:3624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:3916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5760 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
    3⤵
    PID:4344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:2084
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\MYDOOM (3).idb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4620
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=991F31E16F5293D1BA18A2FDE5E1E631 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:988
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DB58A91EE34830E66E9552C599B21729 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DB58A91EE34830E66E9552C599B21729 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EC38B26007B7F8511363E13351A36858 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0A4166E8C155BE624CD07DD30CB5CB2D --mojo-platform-channel-handle=2520 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16C58FDAD508304E07E5AB6C23406694 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=94305BCD07559E5B4542DFBD20C48060 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=94305BCD07559E5B4542DFBD20C48060 --renderer-client-id=8 --mojo-platform-channel-handle=2652 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
    3⤵
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1172 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
    3⤵
    PID:3372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
    3⤵
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
    3⤵
    PID:928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3820 /prefetch:8
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4668
- - C:\Users\Admin\Downloads\Xyeta.exe
    "C:\Users\Admin\Downloads\Xyeta.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 472
      4⤵
      Program crash
      PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    PID:924
- - C:\Users\Admin\Downloads\Xyeta.exe
    "C:\Users\Admin\Downloads\Xyeta.exe"
    3⤵
    - Executes dropped EXE
    PID:4556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 440
      4⤵
      Program crash
      PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:8
    3⤵
    PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7296 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
- - C:\Users\Admin\Downloads\WannaCry.exe
    "C:\Users\Admin\Downloads\WannaCry.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 296491734540810.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo c.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
    - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
        
        !WannaDecryptor!.exe v
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3208
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
    3⤵
    PID:2200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:3844
- - C:\Users\Admin\Downloads\satan.exe
    "C:\Users\Admin\Downloads\satan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1836
  - - C:\Users\Admin\Downloads\satan.exe
      "C:\Users\Admin\Downloads\satan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1684
    - - C:\Users\Admin\AppData\Roaming\Ozbes\nati.exe
        
        "C:\Users\Admin\AppData\Roaming\Ozbes\nati.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4820
      - C:\Users\Admin\AppData\Roaming\Ozbes\nati.exe
        
        "C:\Users\Admin\AppData\Roaming\Ozbes\nati.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_aaa124c9.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7828 /prefetch:8
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7860 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:4644
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
    3⤵
    PID:3524
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3732
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Users\Admin\Downloads\ScreenScrew.exe
    "C:\Users\Admin\Downloads\ScreenScrew.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8064 /prefetch:1
    3⤵
    PID:3780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8136 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8088 /prefetch:8
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:5072
- - C:\Users\Admin\Downloads\Popup.exe
    "C:\Users\Admin\Downloads\Popup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.rjlsoftware.com/
      4⤵
      PID:4688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd8
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.rjlsoftware.com/
      4⤵
      PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7424 /prefetch:8
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7412 /prefetch:8
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    - NTFS ADS
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
    3⤵
    PID:748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6592 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1
    3⤵
    PID:2052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
    3⤵
    PID:1908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=876 /prefetch:1
    3⤵
    PID:5580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7332 /prefetch:8
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:8
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:6028
- - C:\Users\Admin\Downloads\Vista.exe
    "C:\Users\Admin\Downloads\Vista.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
    3⤵
    - NTFS ADS
    PID:5604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NewLove.vbs"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - NTFS ADS
    PID:5208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\NewLove.vbs"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - NTFS ADS
    PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
    3⤵
    PID:5780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7888 /prefetch:8
    3⤵
    PID:2676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8
    3⤵
    PID:2252
- - C:\Users\Admin\Downloads\NakedWife.exe
    "C:\Users\Admin\Downloads\NakedWife.exe"
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1
    3⤵
    PID:2964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
    3⤵
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7940 /prefetch:8
    3⤵
    PID:2140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7532 /prefetch:8
    3⤵
    PID:2588
- - C:\Users\Admin\Downloads\MsWorld.exe
    "C:\Users\Admin\Downloads\MsWorld.exe"
    3⤵
    PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
    3⤵
    PID:2244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
    3⤵
    PID:5828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
    3⤵
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
    3⤵
    PID:5768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15101090400463213582,7082053198061981322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
    3⤵
    PID:1248
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3492

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1176
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\MYDOOM (2).idb"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E47E0005F95FC6513E3ADA7232A26595 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=90D170E382513410C969200E25E261C4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=90D170E382513410C969200E25E261C4 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=266A8F13D72AF69118E49D32B619BE70 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CEAD42189A31D1023889B4E7566CC56E --mojo-platform-channel-handle=1956 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4586FD7E999CD785E58C24796380C42A --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4720 -ip 4720
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4556 -ip 4556
1⤵
PID:1344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
836ac133543662d1ba394e17d98ad193

SHA1
f9f9b46805c1d15cff656a19fa6cebf7ae8b77f2

SHA256
839493f2b7dd0e9ced4e4bf6cc9382bcb35f342ae97cf70e68524bd0c92f431c

SHA512
c24254651dc26ff636b7cf83b3b6fbf791cfdae2997723e02128858172554213a912c86fd0243fa19147d2bf962019a095c12be9ccc72da6ee3e245748b97279

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
f61ac600487c5dbe06fc05c7f1f4b477

SHA1
ab0f81898034fcdc4b30102974d03c77bf5e2a73

SHA256
96b5b158884e46e6cc7627d95e08e929c0289159c098e407cf0ccfb07a8760f4

SHA512
4a3109390b8f8ad5296787af2c4ee88bb6b8cbc359cf3666274f1cb5f840c5595256c6c57a5879e08ff23ab413c6b9d740c4f8000c49354ae5dd7cfad7a3a8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Filesize
292B

MD5
f0c4a52dc60165603ca48b74a0c1f909

SHA1
55c5cdae426dda776c85f19f4514b368ffc64ce1

SHA256
54a4f7739fe9a5b84693fba6b38ed2c9c334460c775618f57e6b36db07d57059

SHA512
ba763e6805bfc7d47e42414835ca1ba3194b1d0e99c5d337125cfefaec9bb876cf80a32a6c5cb5bb969679e2e3de72cab33f60b3cf141b64ae816573f2d7d448

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

Filesize
128KB

MD5
d5d824b44cf4b8829bd1ed72f2034bdc

SHA1
fa731182693ad78c09f59ff6cca6717f4e8e2209

SHA256
70026d5eed2af4e1c52c5dcee5fbe3a38a2fa4ba8da6e2e88d68d654fbea6a9a

SHA512
820c8e8b2723aa5abf1ad2af5cea7e2576d439b03e88586542f13bd281e19fda318d8d6e1551d69b8eaa468bd672e20b47693eab667b82fdbea411b1f225d2bb

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat

Filesize
145KB

MD5
0ca92e00a9ce4375a3638046691b4bc9

SHA1
5a157e36bc4f2d9e92603360272114bdc0c05a6f

SHA256
d4438f7c878c75f83cb468efcf7c34f76c7db8e04a90a40314785addf2227151

SHA512
bf22570e1899f239c117a4e3bd1f46f6e656ee3615490c45157c8dfc18bc3021f6b7a75afba908c2c31850c4f5db7fb56e08059eeb36552720a7aa5d9f7c23c7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
b8848e838a71e91bb980b0359f4896dc

SHA1
41cf21275b02df09a218d5b0665230d3f74b0530

SHA256
932f4a2c3ca0dea31589ea2448bedcca4915665acfbc6e071793f5dac51ff427

SHA512
75868b33c072b376568810b8ea26048cf8e9d4a77bb2397faa6f29656043f5fea535000ef7810c93ade3d6c8752cf82ba64e70dad7449c5d1f311884da350d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\15e13818-d51d-40ec-b889-02a392f1b826.tmp

Filesize
11KB

MD5
fcd3e9189e10268bd13fd6bbacad1fd0

SHA1
71e6f595aae8fd7f11d7f2f6a03d57eed3634650

SHA256
d5306b8086d6bb207f356ac4199d2d5e897f5b1f0298ce8f2751bdd58fd66524

SHA512
9584ddd234b22a2b3498088531cd2c9e29394badfc5b55e78a1e04f9cebc6cf62028f7686dfa8fe974b2fe070c7bc027df98e87de26ec92352be71efa1b4a154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\435cee70-fde0-41f9-a512-47ab18392c18.tmp

Filesize
11KB

MD5
e06a945452c4b4bd9c045f014c29db98

SHA1
6ca74b183b308133c4571763f3d6242591c58c89

SHA256
17591f41d1fafe0638248ff558eee007ec778c755efd61c3992a1c7c6cce0ce2

SHA512
74c1d40a54946c102e5b9b64cd18f36cc73cc7fdd221ee25f74e3407c998dd5ce7033affe9e31246e6e38b8a893d6c8fff550721187f606c5160b50732b6d8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\558ca25d-8af2-4e37-b239-e9e5a6730fe0.tmp

Filesize
1KB

MD5
fa082ca0431bde44e5f16c351c33e647

SHA1
dc2344f87e76d09ec2655085da27063d8b9c7aa1

SHA256
54fff5736bf452a4bef4fef6753f3afe3b0420236bc5f08c0d60d753dea1bbab

SHA512
e4554261c7b0eb72d6bb1e2d114b050623b412d386148c400731f99388e994cc961088dc08cc55647e8880c58a8ed824e92c8982354265aacef010aaeb3a0c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
107df3f63a8b637eed0a3f01c1181ca2

SHA1
6a367efe174a94850a9a60eca1b3cb9476ecca74

SHA256
7fbcf806307f836eebf78829d088e8cba825d711a42394f64fa7117271a878cf

SHA512
e4c2e6b6ca662cea6b74a70f5f40dfc9cca0b33de7efef339da815d3ee05cfa4771791a011ecee3e9537f77c4457744b1276d2ac4690cf621eae80f1011ce00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0143edd150d6fe42_0

Filesize
2KB

MD5
c6e5f696583de21242e428155837ca45

SHA1
7aaac741dbd75d29a31150118aa10e6218b1635c

SHA256
7526a2f4ec251a4c69f56e716e1caaae526943c9219f63f7015c5d1d9f1d583c

SHA512
90dae2766aa2315d514db0bcfe6cbafe1343a4f0969b9aca94195177e775a44059113e38e1a66dddd1b8124912b8a75f9875c85a6b8b4867b5f05344403ab55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\06cdbb7047afc473_0

Filesize
262B

MD5
270d776f89b35d52d9d3a78511110ab0

SHA1
d6625ef31618ecbaff0d9ea3e4145d9520cd0777

SHA256
846220bb5ae3d334b2c6138009563bec9e282cd23100931ed34ab17ccb409d6f

SHA512
491aa4107fe57f19328853304d5a3b68d707e57de31291508c9a5ffdf89c2958f59551b6546629b151c84ea7f5afc272bd4d943091aec88c64fa48d36573b72c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0720badf6795a0b6_0

Filesize
3KB

MD5
1164d94563ee0fb470882af96cfe3e88

SHA1
221b02a1b7fbea315a8c7c3577318aa33c11f690

SHA256
da12b88d91da03e450b7dd3ccc5b5afa1ff119ed3f5bd2a1b100e22919dec3e3

SHA512
1ec9d781b2d52ad4db89991021f463e6789f5d6b9ea38cb50943fca394a0ba68d912ecd5906a273eedd8ad7b4f5a368b7c790160db3afbd74909f56cf39d2289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0b85b1753e9b4942_0

Filesize
175KB

MD5
77fa98646f5e24da770e987c88f5ff73

SHA1
d37179248e7f25d4508dc7808c7951093128c470

SHA256
d2395f92e60b91ab5bf7f00b8ba5096a4c7d649aa89c25dd430c6f1a34a8bd42

SHA512
492e5b060510f7451c8086f68ab160680d0bd96f824a5a0bfb515cd75457893fca7c65631528c06b5dd7446ba63c69b896a7a9788c995a9aa1dd743e8ec7004a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
5KB

MD5
cc8ed2d78796257c5ebf9b2affae4712

SHA1
b61435a748e6bbc90b545fc979708220534c4d7e

SHA256
b366e6286cf484cbe39e5c623ec2174a2790d5f33c2aa82e5fe23be671d9dbe9

SHA512
49086cee6bc42dac4ed3cf5fd3631d349d1a8970d8932bd157d4b45115cf7707a8cf778e3d43ac057dc301975d0e6426a702ee16e0f1b10c3b1764fcb14d464e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
3d6dc0e2c62ea8024624db2cc28031b0

SHA1
7f200e3d4cac2f6b1e5a9b06b15929db03fdedee

SHA256
e01e743ce491b29211aef0cdb500a0d78c4dfac361c42412592cb9e14f3d1b0b

SHA512
46051da7fcdf98612de0a9b25e2544962f448828b945998510fc911f165f9c0db16f26f231d6ca07597a9a04c4ccdfae88ff3ebf7cb2e46356d1029faa661699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\15534ec083f6e0f0_0

Filesize
207KB

MD5
aa33d20c7a4f257f470020b9beb38d5c

SHA1
4b77b3837e09a270305ab916480ba97f19f2edda

SHA256
54115b97cc5e724d91228f7261426404ea151b59eeacc782f372bff698469c37

SHA512
ae840aee493485cc511b2767044ea8e77a62c4ff196d999a838c46416a1dc35e3a2d783e689966d7411163aaea33255e89dfb33798f36d87df46007ed33385b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
2d1ddf76ab8e1fa59ececece22afbf9a

SHA1
293c450713f869f2794345853bb835a37ab4fa4d

SHA256
1684a1aa30ba24cb626cccb762e3ba1c7000901582a164326c3afd0011160bda

SHA512
f0a8221b740f6c0e4321983dbb643fcd4bc3b8cf1fd7fe989d41e8456e04ac7bd21d7807fb6082015de65647fd0bfaf32e709a3ed705c535c5e73e95588fc0d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
13KB

MD5
810f40a76bb488698808d42d0740a003

SHA1
fc02c7206dd4d021373810e57f42ee3eac98fbd0

SHA256
2a826730832c1e53ed9347b1cbf49c0584123b969e92b241da0e835171d443a6

SHA512
ca7bfff8979bb71b19c614f3688dde5a6dd7ae66625713d5a25a0be4dc770bba49256247ef73ae5e424159c453535f8b1fac33266cddb9bf66a086de2475c774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\378757bddf4d4f48_0

Filesize
61KB

MD5
9ad8e9352a08ec508c8e1a1812197ab0

SHA1
20a3b541c55d4827ea0df53fcc0be834740184a0

SHA256
684d3816675a390cf5932dcd1032254332bdf05c4153118fbc1082aae1863358

SHA512
049351f52dba2f02f35cc1a06e33689584b480ac0915230c780fd4641ecd1c18c00f81e1a429ac13d1900a2b095b659589e42dc9e208237148b08b4323fa5cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\37afe38eb817b647_0

Filesize
38KB

MD5
ffd93510fcb7af25a6bfff0da2e74564

SHA1
9400ccdf7ef48b9485be5f94597eec210d424f63

SHA256
deb119a27877871dc956c267cc2de37c425f6851a8b31c39567fb39df8350bb7

SHA512
67c05e1d3757e6b94661b6b040428304c5a2d01c1972f5ac7757fa33105ede15f39702d8371bf547e698dff229714c2701c76be4f54a4a2037982d350197d482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
22KB

MD5
d59c94b33e45ff2bb3d34817caf87d2c

SHA1
c43860a5629e3c1eef503f39e5a614d4acab1f22

SHA256
18e88214aef7f129127b33f65388fdb45836b6d2c8ec0076545d84dcec42fab7

SHA512
339c978176433fc5713cf88600645ec19e2c2345db32b9ec5e3b132c7c084c8aed0b26b3e0df649e5a7da4ff79c492692defc16dcf9baae197a4557f1aecdc3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f139f229e6f0497_0

Filesize
9KB

MD5
3cd8d826d60eddff94c96499a566082e

SHA1
4d660ac094a1889f61585abf2040ce4ac0c15876

SHA256
2eb4aa6e157afcf06c9395d198bce00480cf4d3d07a8df31f2329576bbc878ae

SHA512
f966ad6ec7226b7768076a7e9114a76a01ab973354ca82eb5b1da05b8155dcabc4b90fe2b1459b7f14165a70ec0913ca80215a2b1f447d4336af2e6cc8bd682d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
8b7986599ca148b379d31ae26bbcbbee

SHA1
31388f44aae17e1ff752e49c7854f61c24a12963

SHA256
d448695089c1e1d95c9b194d2735897122db9f6f65b81948c4d98fc4007c0192

SHA512
08cb36b31f1e0131887e77bd669b7fdfb5a7aa195432d8f283c0d2d15cf4d9be5f70efab575a6f7b44ed50e1bc16b9b4f5fdefb8a1f1cf830779214be8228a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
ed8c2d79a81f24b81a9aaff1c4dcc09a

SHA1
edb6bb4f86439f7070866b514c03a9c47017c43b

SHA256
210b4c8e35644e074f3390f47181d80ae51fbeefcfa5e2026c600134ccbebca2

SHA512
e7bd9d0f361698db3d655f8454e50825fccca9a9b567b55a4cb82ac78c8744438e1c0977cc67a4a7d46a5672bd13e761492a7e23f615f820e172e40cf581a711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
3KB

MD5
2111671a25d82ac72f6279c5489aef6b

SHA1
b8484aeafad4a4486a22e9ac78ba9c566b45d7bc

SHA256
c1c482acb5775b47fc5de00673a416584bef4e022519b9876f7c43b2d2b55e52

SHA512
dee6a0e6fc702565ec2dfdbbb7b3a6148310be2b7f10058c2376d8c4d53423dd26044dd42aea95988e7bec4b46de9780aa6048da16a96187269bf535f6114e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5b13178047417404_0

Filesize
106KB

MD5
9301f1fb930dec1c8fb5402dba21ecd1

SHA1
2638f9d68628f842ef5986e0cb62f2a468e63381

SHA256
2c9a286c067ac9e4e04b4853b3b74215420937e1e2224429448bebd62b521cd8

SHA512
bc6e3458345b4425a5396db642cb7025742b650e28f48153a4406cc138f66ea10c2c42dd2cc2a795bc88d50fbb35ffe4c7845670c6d2afeb40fc0b861594a99c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
2d9f0d3b74734e714c25b788092a5273

SHA1
e494d2c9e489efb66766fe01f417591218d6a638

SHA256
56e355a7cbb0b33fe4ecf46c00ba42d936b9226bbd93c318262b6ca2140c6598

SHA512
bb38248eeaa60ad7565df2038b47c6e9b7c196bc142c12bd92a63a86f0542ce2290990210f0e9815b72ebc7a43eefaacf309addec5bd2406e24234e1867b5fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
14KB

MD5
d5a46c6acd08825a6333389fd147013e

SHA1
a3d7764c41ed9520303bc912468c11cf8680cfd9

SHA256
6a147d9c4d456b3cf619ac5f707c64f7b09501ff78c0497e081c6e571f605414

SHA512
ef7d9baf7187027b6da1b55a13a4e12e404504a0ec4762c732fed0df0a96aaf6913d439bcf441b2de50e55a4957ce95ce14027b11b68d15786f24f94cfb41d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6b1c3d6d62495ca9_0

Filesize
4KB

MD5
5b2e9c5f7ce48c8b9d2a7ebbabd44882

SHA1
46cca448fbaaa55aefcae9918f6db86dc86df621

SHA256
132d3d401354c1fa0161940e4eec288b0fe929b573d5d96d42ee999e39d9b41f

SHA512
5caca2c7c21d2d33e050b08c24785289b073a579e6723a41900d59ac6da2bd48b88aebf8314651c0de342ce9394901b20c647c291f546a9e19f0a7dc6b4b6edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71d68e68ea4089fe_0

Filesize
6KB

MD5
cfec8f44846716f6532a1f6923edcd27

SHA1
3b3ef637a967accb7fce4c156cf6365fc9508265

SHA256
4398b618be74cb483a55397f9476feece7811d7a67dfa32314dd765aceae3020

SHA512
549cd555ef8e32d2f6b85fc06f310d7e76e67ebd4b11e6dea57356cd2fc51b6cec758fa8b00a266b3469d65b83e1aed8b973089cf01d8c4227847659539e78ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
11KB

MD5
d38b6b7a3c0f10a8d6ca7bd0373199d4

SHA1
b7dad2dc3de863afc4a85d62b5d393c06dd6eb7c

SHA256
298b6e7cc863c43baafd17f78df0421d0ccb6496752b77dc5e15660ba6309d03

SHA512
1f3bf3b019cbb0f3bf6e7ad4d115f5e55168b1253ae4ea67d09943160cfc53967e70a8951785842173e426b330ef70dda418dc86eae806308a73c9003390c604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8ae0a61cd4da2733_0

Filesize
291KB

MD5
902f39f03c1703af0ef9cbc2fc7f6af2

SHA1
95c0c55676cbf16960f0f0e374785ac4130a3147

SHA256
c2335cfcb2e8b25848b042de04ba11adfebcf28c079eb17251fc209899dbdeb4

SHA512
04c749ff639b0fb6a8eeaec18b61e31ecb03686a2604e021a354e18ed99f3a06dbea7c65e8938a01afe619e879bf1ef41d6fa7a851db539fdef2df60b352df87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
b601b690f9c5e821c49ce72af048c904

SHA1
89f278b02e0a17c3f45f74143edf78cddc52115d

SHA256
c3e54e3e5831c75bd0cadbbbec0cfb11ecf0c36242fe3cdaca5e730c93a19804

SHA512
2d57c1697bca200994652e2691d0a4b27a781cf0ec6e56167318579edab4add04a6f526f01ce961b43569aa16552288c48bd3bb92874258d469d9246a32c5daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
a2b8ba2c0eff465d2c8e870ff1d32387

SHA1
3e401b1ecbe7fc86434746cf06d251b8bb7eb00d

SHA256
84c1665c12ba58b4825867060a50605e942ad80b7fcc55584b1bb1f1ff4a633e

SHA512
6ee618873b8ddac99a3458f797b55dab9928ec0b19219a2fe4b7418c77c16dbffc0051c683b5caaad56d7137863383a873e227c70b65c76fa828afb26b143ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ae2d9ba42a253ec1_0

Filesize
294B

MD5
3b76e21d12148070b4b0e6fd2e7b50c3

SHA1
47dac8e555020c722fad79b21a9995958c0de9e4

SHA256
87b0495ef6ee5de8ac19198c89ef6b60c23a5698a34a71261e9e7ac026557686

SHA512
48f15395f4082731b4cded651b365fc444a94e3d0b02ded75d81ccab66a38242e4d4368c7f86814e7c6eb3d466d6a974c5649de5e9309121a4d35c2108073aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b1d693ac0f52716b_0

Filesize
10KB

MD5
141078b85401b6c0d7c8d9af68276ef6

SHA1
afbd7d6f7c84b55b0109b3fe5ac85370674ee0c0

SHA256
03e57f8c3a8d60dce381c673ebdf367211e4144d5a316d4198e43a60be15e3fa

SHA512
0a6b5bd1202a13005f3a29978753d8ac2c32d6d88faad39244c5d2f63bbd536c09525c5aa4d40729fbd10843d0b7836676fb93236451e33ddcc65b96496049f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b3e82669a81c981d_0

Filesize
2KB

MD5
b880b4aeccf97f70a3355c74e764f540

SHA1
d97c43bbec07a0f577b931d264512bde3dd048a3

SHA256
c610575bc6eeeaf3914ba5e08f2979581216bc697bd2f5632d863632882a5d3c

SHA512
fbb30e5e3fe41ae6d7181cef6a8e12d96f01919dd9991c6717d872f35b7242b41c949d50ef0d3680a39f8337c791f45e71cc764a17bd0f850fb9ef7e8d2a8460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
2KB

MD5
90bec7fc0accd03e864cf3ed030dd70c

SHA1
ce83ad6876302d1283eee5113e0aa3d3da4934f1

SHA256
dc93785fca206a005ab6bc080d34f356eaa1175d6b2a672a0f26a05defc8bb56

SHA512
11bf8bbd298ad2ae2878daf1f4e65f591ecf711e2daa372cff3dc6722d52e9a85f9b4e3fbbddd5550984a7db0a5971859180e97b0f5a4473aaf18be0364d2e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
edabd1c269a9c570cd649cd2eff93f42

SHA1
96b211be9849c621cd47347680b5948e3fffdca6

SHA256
095f01fde135e914284c0568b6995fe32c02e68ff86470b88903c10910ca1b4f

SHA512
630f137e7934ca25db862cce3d365816c0c084350c49242bb2be395c408e23396b61fe7d24585e501b4a0589e088e7833026967f5b2439bb929f292edf1c58e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e146fd968644d345_0

Filesize
8KB

MD5
bd304fe072795e735cc2a2f680543768

SHA1
1bd2bfd416621841b3b205915480d03534d9dd0e

SHA256
ae71f672c4b2de6be17fd888f96723f905f65215d5b22741fc06cd059f0ac99f

SHA512
1d7edc31a6a5ab1bb9bcf0681ee44809f2953dbc6ceaa257fdd11d8c91d40d27645020d53a3b6552ad4db81fa6649906d83673bf9c3250d28f0470d861987282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e239929a95f56ab5_0

Filesize
2KB

MD5
e71583c639b655df0f76c2dd0232953a

SHA1
bba6ee143818ac6791abf607c32ce8f94396fbd6

SHA256
5629132cf95f954c18a688cd4f9911d98660ea54db9c82b9bf933eb8a4043a0b

SHA512
1f09072a68bdee150cfcd5aae955e227a5cbd8d6c143e22dbb709b6c47feaab974389036cb5f5bd2ee75744bdb88a544d1d47179c6bd4c7aab2213bc76d74828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
66a8caa285f481246f696efa9d289073

SHA1
65a6e29a11a1effc68a71ae0f3ca124b7e42b4c4

SHA256
db9f1bfdf84dc4492327ee43adfda934d997657bbb618b881235331e7430bb13

SHA512
e05f8610b19d3d6a1c1cd1121f2a7e7400310242de50c62d120e4d18961a868bf8cb6e2031e7bd7b2c777e6080e4b78e654fb52023131d860f04bd11263e805d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
35564d26952f6cb21521d2ddf40fc7b3

SHA1
cb76e45e87513bdb455ace6a85a13ec5d360eac1

SHA256
62328df0289c48ef20b7180a936383297acb8e22d8d5e6a539a7a54f886efb09

SHA512
52a28465975098123d347c8aa68171c51a4ed1eb72dc02012c5aea5daf65a6965037152f3d04ec0aa1532809f42681ce983a17d9084b95e67235c74cc85e302c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
79ad0641503fdd8b030ec55092efe0f3

SHA1
53c29d75151edf856d7a93c8a421c3eb463c40f6

SHA256
aa0fec131b86cb168f025aa2a2c524a65a2cc253a33fd764fe8222eb99576350

SHA512
17a191be083ff7d8dc8e77a31b42e10f9c67f10cf6ccf8777a44451091efb8d8243d7cc37e76c4bd8f44ac94791c5c6a7aaf5053eaaf915a9cedf533cf94e4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b3835aa9af4abfff9cf647c74cc48a94

SHA1
3516e02cb13e0ddaa90f2099c529b3354df85d69

SHA256
e96d512de807fcf32f8f3baa2d1f38f1df36bf405fb3b264a63f500b4fd06571

SHA512
a81795bf8117772e204a97b411e52708e37986095805c9831210583db77daa8681e9143da734eb8610e8de93ba6c9747576e4c87777625394df79cc1dccea1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
530f4872a19e846ca4cfe650b8117387

SHA1
923b195e087890b295bf1383a99bb1fe0f0d59b6

SHA256
3c97de075b7d3fec7d809ef8e42f1292ae5a78370c33f5f851cf44361b305875

SHA512
06959785b059677854e89d581ddfb7ebfd9a810c69bc7f02052b9a87e8597480dee94810fda6710e32da431e76dbb764398be4ddbe0e11e8ec8526cdf5650c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
139baff5322624c7a8455c9a9bead858

SHA1
9b7b3efd5f4c690753e165c2a40591859c1e07f4

SHA256
8353eebe44297b40e3514520452ce8839052dbc9841d29c804085388a390ea9f

SHA512
b1559ccbc9be654e68caa728c2891f3342cc56e517b117625f7491a068bbf4c6d886c6aaac1190e20fa2795b42b10b659d635c00fb3fa3c70b2ec06e65de62f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
585315e75a753a9779717c9fae81ebb9

SHA1
075c902c68be275b2f472dfb50465422edb76b43

SHA256
5b9e6f8e47ac718762d0b1c88aed0bb778dd94c75354335fb6ff6439245f3fcc

SHA512
acc1094711b4933cb2ee1ede18ef6a01417fd9d581601731dccfc4f29bbcb23bc988ca4be15d4bd28e9de3702879d439b076f1fbd6e1d18d7b4d388770576fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
6cae38a6e5566d56baecccd45267f8da

SHA1
b2c0aecf341c2ced5a6db9514531d025204ab01e

SHA256
18f329eefe15a97543d9df995334fe3d8cbb50e19454db627e744dd5f71e7e18

SHA512
bf53a5e45e89da0ad1f4e6f2492bf055643c91360b5d226f87f2fa831da72ba1178e6c9b48b87dff5a8b1537ec89405213b6af3631a7f7381806c6fdee0f467d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
69e730b246bd40707d7fe3712d97662e

SHA1
2e64bef7984f4ca0d54bcc420df3e17e7a7c8d3a

SHA256
a5070edc2c5824db9744e5b569bd02defc2b267037212bfffd41f960e326fd2c

SHA512
260ebdd67289e73d570b9355ee018482d90a7b24364cbfa653f37db7f3fda3fa0c0dda304d4a4a4a063b5e38f068bfe377690b30388a58096715d8b0b2a80677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
aba0e213660b9f42b101db165e3c2be5

SHA1
23a4ce3377fbe847e385cdfaad635b003610e408

SHA256
152edbe98bce835a14f0742f013147abb96eef75fe514df3fed1a6759f031d3c

SHA512
f79ea8642ec5c3c7677d089840fe61ed437db6ef429c487f8511a445720aa31a10f4a92d948926fd9389e1024ae3d4107f9dea0521d86c31b29c0ab9aa838447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3aba24a14096809987e14f050667faa4

SHA1
178686081993f39dabc84ff11dd455771d86cfaf

SHA256
282f4a8e14d2af7386a1b9b30e279f6ca23d3e6696bd064b69c49664d5827eda

SHA512
8f7c46dd21078ec01ed09f9c770ed08aa3d72724c815d9a5cd84f0ad2eb2646bf85320563457be1afa63730fae43c6e66797e7cfd7d48bd6875048d5be977ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5e3561f8bb27b9330818764343caf37b

SHA1
08def231010f1b203ebb9935271838cb9c595e87

SHA256
f109d4af1429f461013cff2b4f26eef1a4a1f087185d90e394d0884f345dbb73

SHA512
ab9f146d273de01abf8f5a9f53794476ca4df3a295135e5d9b5a33422032bb750e09bd4236844bfa336c609ae547df0f03194f91e7730d781a831d1dc5a586b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a206a97a1918a45dc7cbd1600b2e4da8

SHA1
d23f9ccf8a2dacff383854d61b39089abca8e86f

SHA256
469b8c0d9d2be6b5d44f16ead4a71473f5b1d057b19e875d55b3fad064555ce2

SHA512
1f0d875954f8419666f435518f0a148b5564cfab663214255d0f700d93fdfe40de3669bedd7cfc1a2258f7389447b9646e89d49e7a9ca67189f8ad4b5d5977fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dae93834c643bfd8b6c964dc2c265186

SHA1
f6e330a627cb78272b51196aa12adb0726828658

SHA256
0f4b6b94e30fb8c467d9c5313cd2730d55470963c1ce3aad4edf52e5f331882b

SHA512
a5dd644bd8f69fec9ac68758303b715507936fa9d8888f636dadaee5ad6f7a62e94194165442304f1e82ce959f2a64d599ccd4c316cdf1a423ccd528520a6150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
67454601bdd8fc309ca88950788c74af

SHA1
d9a0c0982bcf558f2f4eee0873b210f9af729a0a

SHA256
50f8534fb0e31807f29ba5918b2b642ca7ac14c25c63bb50fb281a46b4435b7e

SHA512
e8aafd5a7b08fcb370b6f614362c23451d7208848a3143a54b0561c4fe6ed3ab9e777d5812bac4fb4b7265221539c2a4bc8e8364c2f66e8fe87a092b2c9e4cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
012b8c894b301ed4df0f503de4c4422c

SHA1
3c156a0f67e63187c64f15a855f50c0eda8dbfeb

SHA256
9cf9c8b1c4ee93bb88e0a302b4f0b66abbebf98d81624577e46afd079adf93e5

SHA512
af1cf804ad45dba8b7b45d829619b3062114b6d63fa518a128368511394507bab1b6346c1fe190dfdac66bbf3eec1d45785fb329e23342d0ad77c2f8054767a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8243040171edaf75098eef5e23365640

SHA1
5d88cbfbe75718f3c5ab736d9386941196adb4ce

SHA256
ff353aa18bbcedf25439d01875e134ed5f5173b97c62db3519ea63e28c68e1af

SHA512
2d2206a9adc0cf84ab329bd1730f7f16d27fb21ca38ad4b952a715869cfaa289024a430dc095d721ef12341ef9e4b82917056df4f452071b329f967addbcb037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ef8ea19d3a5ac645992930c124291403

SHA1
262b3ac3cda4654f67b0544786969659bad550e2

SHA256
acdbe61f86ff7107ed113b46af321b9583f7038d4192fb249324943c6f1707e4

SHA512
ac6b2a5bd5f5143bb26a640c84a71b5edbf814631a0118fd1dc632c8738d637ef9ccdf4b1d6751aace0db65a823943d37061b99aa369503b476accf7722856fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2719ffa087ad820a8bed522d49b3d432

SHA1
31a5c103f59879d6b8093b7a337d89f22a6e90c7

SHA256
4c0988a7ebcb85e352b15faca816997f23a78080bed7aaa30bb4fd83c95ca7aa

SHA512
08b98f714bbac0f17cea26c15849c20e08e24c45ccbe14bcba6e9397174f1b1732617cb4d5e4b00ababad27b2da143ecf98d01bfc91adb081837b5b948d920f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e91e13d2eb7711efc81a1d286378895

SHA1
e4b55c4ba8d90003854b87b55bb49c72e2a94110

SHA256
d78ca9a4ae59b4a7055ea6498a5b329aa06750acc11d229b490a876cf9c364ee

SHA512
1e24182d8a7683b930b504e35dc716bfa04b12ec9816c6c410f634e8dcf0b02d2dde7ceb91ec48ad4c90d5f6e88136d0da739c7e80b77f0dd17e41c1dc6034a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
93211ea5c552bba7e85a9ac83f09464b

SHA1
74572a9ed79cc1543bd88f37be1c00e3a0833c70

SHA256
ae09728d750342260b78f9d02ffd1ebee4c1249b5f00cc9579175401f13bd393

SHA512
e39a548a030c0cf00a278653f0514927db6ef94de1cfcec70dfc44e421d8b8a50171d6f2c7826c5f1b87aab64d1ed5bf83c36f1e83e335c4d18509bc643b0e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
deb6ac36eef2e21477066a33c1bea311

SHA1
0eda55c1e0c6be8f6707f6c65d2ee0dcbae12cf6

SHA256
512f4ce69e498114843d78ed38b6c458322c88b376ca1fef5f80bac6148ed9ea

SHA512
4dccec6c3d33d057dd216c996046d61d759ee8be5b6cb2e645ab2b547e367e394f75d2a9e5b472d9a7f20bccee499a7b93ec080b92a1f7134f970eca3cb67d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2c461a3a8a61b9cffb62fb7f43a0ca46

SHA1
b70f8f787ed33c9c93215a56b92f70607e2ede76

SHA256
5deea2aeb17a62797d33a9c5b701d856eb96892b96f61ba45959cf7d8e920305

SHA512
29dd48811b2b41a3a6e2f758b059dc9a83cb5419ab1932e7340baef7e7dbfe80e5c12ef74698bbdefa2f805509496004593da298f2da12c371d661ba76d5849d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9151c13db2bdb835760ccd547fc22f8

SHA1
d0f8db3a025d36958c2b9401d7badaadfdf2ba3a

SHA256
3d5da1139c354efa648e49eba9e697d3bd4b69152e9087a88dd0505dd9e0e316

SHA512
597618672ccf69a3b44ef9268daa60b0e27abbd84e84fdd7a0be5169af5a8e7fbed01c022ac302a843f6cd2a3c0fc6cf803a3840a9eb3c49e4a3722f968ede9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b13a76c74ad3127509a21107a3ea01f9

SHA1
d31aaf37eda74db113fd52a52f902cd1d2f876f6

SHA256
2de6e9220dc2da2a607013408249056a5810d3b9695d6fbccb2abac4a9ab6219

SHA512
4840a67b87422bb5bcb6edc416d352db7409e8350bb80b80115506e74580b77f3992b6aa45c372435106630b0e2c4dbfc56492a8798bca0593acbb53b6e0ce28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
828f2dd22d6778e3c3d7a8b2c3668626

SHA1
860e89bca90ad712428b3662b3a74b934e2d835b

SHA256
a38ccd1e82dfd162d89343c1eaa9fcfdb001f8b63395ab4613ba1ec7cc6281a6

SHA512
b1978e06959561727783b58f051c5bc1a6215146b351399d615c446f2a2de5511f9e2e2eef878e14f3fbca8b0d8a9d46333afaf56620a4ba0b2e3cb75edcd4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
988b41f82516d600f52c2b1b0fa28ec5

SHA1
726da990a3a0ef5ab7fbeb096d53f863f73d384a

SHA256
3ad9d5361fc1b1561c9d60eb1f0f59556899987b53e62d8afc2e5390547f3a87

SHA512
4defed298d45557942d78211d974de1ab4d15497b4e0bd1ca7e1e37f11bcc9ae284dac49d6f7042440675fd2b6038e54bfec0283e9e66a0554b65c102396ae0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fade1db393e33c1fad636028b3a1bc89

SHA1
8f4ff899039b7d84901f8cf92bd8d0576e3495ea

SHA256
b00393d844a891ef553694004f707f36a70e2ad5ed5f6215a7d75b87fd5ce9f4

SHA512
eb0991910633f2ca7b2e5851ad7c06e0fe069d675a27ff234613fbf933ee7e346bd6fb415358262fbdb30b572a6cb1406d3e81a423f93a305aa439831308bd3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f4f20201095872de3478ba960d38ec53

SHA1
f4cf4bdad40e27a7b2e2fbfa465cb87529f227e7

SHA256
513dc72e987b81fc782f107aebd4a95f9dca3620eec6e419c131a1ae93e0f494

SHA512
697d51f6a193d6395d569cc0af050ec9e852b9351c3020e09a4f433ece8d1b6ca25701730a429430930be0ea6377b11ce388488979cc4d420884f767cd375a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c1763a5cfec30c4763cdea7f3bbd9e3c

SHA1
81bf53084b12b8c603294b407ae00bb163bf02f8

SHA256
a40864bd0bf6a6289c557b5c80485ddb9d788f1765b06411742e4a379abe4321

SHA512
74f142d19b9e7f34370a3f2ff8d8d57a721998e8e961f7ae03d96f876a4187dd52c92b0e311a2f9d54b04b3b9366f26bdb8a7f6d65bf70671c70313a9d54c1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
443c7bee7609651cb8f21f79ac320442

SHA1
3c6a3ace0d5bae249cde7dfdc8871682ded872eb

SHA256
5b77adcaf46a3bfb670e1279963b1a81a56c4e6a6de6e926e7ec0a78f2a7b359

SHA512
f746ec4646840a2413782f826a8022b8ea7ce92bc970b1279c0ed7b2be7bc9730ce467b5bbca040d52afd54756e1bea65e9b9dd3470865054f02612cfbcc6702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf19b7b7ac19049b1d6d38afa77caa31

SHA1
1f688a2b43c641542243dc45f7338b74a4e2a6b0

SHA256
479823a27f73d389ccdf8ee66b6154088eb775c61389221609f8279ddbb024ea

SHA512
f83194d0d3a6e923646032853b012321fc7669c5b78aa179ea1898654702650b2ef9bcc816231c7e0a84a9a2a0dfd785324cc113575df27bb6122759a70a07ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea49c317046a2a65306033e4d1759f54

SHA1
231e10ff1df57e192081116f244a6086a0c0364f

SHA256
d7df32f4e9ee8e9c8eea656d1d54107338bf8952f41193d3e824b5f472cd37eb

SHA512
8073699686a423c19a90d9dd678b397f01522f848992f846507d8ae5132da1f3fc46e4d52b4f43861814dcbd240d27cb3f3965d11e5043d9e1544c50d8f24643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1ed092452e42364cd376ba5fa1d52b01

SHA1
305d031c880d49986ed9984437536eb7738f9fc2

SHA256
73c6402cc99aefaf0ddaaebf34c2c0f5d20698446672239d6f23a7d252ed778c

SHA512
9c2b84d93ef894b63bec3144e54b6759af6be9128d4e5c12c79a4a89c871930aa51e65a51deb9acad0c1eb1cf1d354bb2f04aa5a4553e5aace82c0fef7c113e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5bb021edd7e19be86d56818b2e567db0

SHA1
e6b91043b6c7c88b324920d7bc228823e6ff65a5

SHA256
4d4af6048153e24caca2166919d3888ea1fa06cf44549ef8a458b4020e93188e

SHA512
6ba9778f5589ffa92675bba11083a4803b51ab41f7b8988de0ffb2542cbf500df960062bd2a1bdeec278957575915beadf7aaa25a3b1f788279b19601d4cd57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ff13750622c9b4e6a51ba17fdeb6e3fe

SHA1
3208666731fa34f6d9f8f3544197857e3a04c1ea

SHA256
0fd41c8c22f11766bd4899cdac6142d5539aebffc25c309eb05d21798a31a42e

SHA512
bf7c9f6924f06504b36d9810553de3fe76dcff7bb86a2e7ce954e1d9014a72863c2dd7234d03eaccb192f57639692ffb6ffbb58678bf8fa6bbdf5096a19dc7bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cebdea2f08f68afbb05f9514a140e9d9

SHA1
18573456f1dee3422fc282cddfaa6489f8a1fd86

SHA256
fd76f5fcafec20004dafb4ea94f5162d85997e4b3a4484191de30838c7c58d49

SHA512
658a3c763d678fd3720d29695fb67e596ff17bbcb4bb38e76d13196eb154b1e8e7f944c5218efb8fcc548bd37b44a63d688632dd0e34525a3e727a93ea3afb79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
512be652aa2e6da1e340ae5407908644

SHA1
b1186be8058ca30080c5eb4ad061349ad60c6c86

SHA256
2455dc7a8d2747fc25db0eebc5dc13ec31203a213b51b59c48d606947ed922f6

SHA512
2dbc872011f36b17230302fe50f5fc179fbc26e1eca7d565646bab922a4558552ead01466dd38fa593d20e7334c243bccfe42aef621a67522014d5d6084e0ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fd90c0e094a90d62321019bddfd44e6

SHA1
7bf4e5751ec376aa7ae7439a6894b298d910985f

SHA256
8b226438e4f9d198de1222926ab558a60680ca45b9388d3af94d9f0276ccd782

SHA512
d69a52f9a31d231403b172708015f78f711dbe254510b1f80e91fea08126c04537789f70cc2b5b2a368419f5b8f89ba92baca5d1d84ea827eca1273aa3447632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf3cd7b4e520a7548c987933321d16f4

SHA1
fae930eb7389494adbef3ad671c19a1d1be89b75

SHA256
295f8d0ea5df69af1af24ad7da2a397e5e55f93c26b8dce4ca0cc5a9b1070bed

SHA512
58124bf62417f72d2691d289a699c7862c9c16da490144d86bdd7b9cc830261c36568a7b03da44b5190b3738593bc423eebcb27d20ef30e79fe089a5770be98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68d9e7a1f5acbc1477e4442389610fe6

SHA1
e32e0e643893fa0c3332ab7f66d0545ff0137d63

SHA256
40d226ab09e1e450c7a9110bf17f3aac466ed64a9650429c7cbd0ddb80307f42

SHA512
165007f8a9a566b731f07b5370ff49a752f7d387d55f6bc8e8e624db999181e5d727172a4878479ef19ec43108d0b5aa2a5292589a5208aad10b0f7596a2d05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0424a22d2ba072a324892a62d5831b39

SHA1
519f3b6e2ef7aa2d08966514fa1fda04c06cdccd

SHA256
27727e6ae37c498cef10629e09eb19b22fb36ec23c2ffe201f4f97365492f3a3

SHA512
bf2d2a1c488b79bfe5bb31f4343e7e6b6a0ee5ec8e40b5aea0c67588a2de4e23697d4d1c5378fa8e91ba911b8404d8618e31c1fb8c6fed8b8973722a4106e920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf1424e1c3d5a821c2ad101c3f731ff5

SHA1
7d9302868b054c172e182c93f90ef436b3407a82

SHA256
9fa8077d399a98f82b3815582877ee5b23c2e5fe12e48c6fd6ae513c39417d47

SHA512
acf304e82d78b827f94ea7e7722587be32b97e10fb3d03d478726c45696740437693ddb2fdd8237f91d4b2c55e3531dfde4700ada3e2c8f3f765d7d9740cc138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11c2b71cb266175be127f075492203d1

SHA1
7b43f16c03c1af748b3a6003dbc26e2db7eaaafa

SHA256
27391b9aa88d07a824601f6059f7bf4cf0895edc808b05cb8fda5c54d2eb4495

SHA512
5d44a845a48958afb65a5e25232f3d7421dd87a36bb1a47e5b7983b57e5b09f9bc3e4eafc90731233e53107ccc4ce5e928c695c356c8b3db85223bb2ed7c6263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e7389c051cd07f1b6e9d28cc41c6ad3

SHA1
9d0ae898a9b3f541f7832e70f2f8934473c58815

SHA256
5db6a8ac7141940b7a4927c55bfffdca076beee3123e65ca022e9cb06d6398ba

SHA512
580864c68e5099d779ad6bde1679f066975b7b9a5bbe734f57137e7c5abf5b55675b1adccc5c1fb2c2d230636e7b1e791178f8102a15217dcb411c7e2efae75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7bfce0c0f04feb958f48c1ea1b168166

SHA1
c187eb19a825c00b2cbd835eaf72f1e7f3defdf4

SHA256
196948434e6392d03be6c21e7a90af629cd2c5cd9dac0355a2636ea8ca66a4bb

SHA512
74a26e12d54c6c18a5daedc4014d08a12ee31c0e29f6beb65cf17474d835413ab0397548825656ad7e7255b3f0546576f5ae336f026d55202df5398574432387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9dd513ba15e5d8ca059d1dc9ff7ad7d3

SHA1
74d90ebcc14141b7f15bbd96e55f36cd440ab5d6

SHA256
e93797ab262b12c140cc962de920c732e4ac2498f59e0e8b13409cd6bdf3dd71

SHA512
d81c4b65e339b1208ba64c7d6569a449bca9628a164d4bb4984e1cb4b36042b802d7e33cf593a220ee837ef5926d616150e744af90adab427d43dd61579869e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3e82b11cd8ec19732001082e062f31a

SHA1
c5b55b52434123ea6f60a539ecf42ed056cf939e

SHA256
05a9489afd37e9fe259a42fabe52413be1c73882a6a2c604275cec90acd426f0

SHA512
1aa69ffd3338905f1685c5b0e03c7b7af722fca02a50cb4b8d0b934d62517dffc2a9013284a7672f0ddb44960f6bd3d09a3f156037c4ef9b28c6a4da3e2d228e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2960f2818da854f9a7138235c5c01eaa

SHA1
2bfd93050b9edd15f11952f5cda60492475c37cc

SHA256
d2082365b51ff8ff9abf70416100a7682c31bacb3005d49de746eeedb6d37a6a

SHA512
3ccc83629cd2da571347e51632a96ed7153f2455a77279abc333db79238332b11cc2204f8b79ffc6a2df4fca6c2868a64ad338e1a25d5849e0bc892d649f099d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
118632246906a89caf75ec299b5a8c93

SHA1
4edbe2a0b4099cb67773ad1e055a3b4165d0fec8

SHA256
e5a243a44a2d939531034033b892a24a21627cea57c679b38f5a7fe640843905

SHA512
7f632e4a3bf883c801bc32ef432332a3a58680f4f5dc8a82d05e39ff42dc3b52a0b80feb1812b6aae26b65c546f64f298ee4f88c89717e807326c00d56ad15fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
865B

MD5
edbc3d9f1bc80779fac278f939ab82e0

SHA1
e0d7c066b834624ffa3b30510f7ffa68897b81bd

SHA256
0a638a8fe56745a1c678886a2cf4e28065a7ad31244e716274cba4c2f581ea89

SHA512
57e86315727296c81e90b685ae242aff01725d56753e39d05fcf6c7252c6ee24ba86f353888acc50073219ca5f4af4fbfe3848bc8ba7d692ec293044000ea1e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac6e17c9eb1335f710b8a68d8bdcceb3

SHA1
ecf27f2d59c7fefd06ed0acf55f32db7c9609910

SHA256
bc53902f4e0ac97a606b2f251bfb159fd06cf5adc0bd5f6a4e77a9bf4cf6284d

SHA512
6433a74a2c7d04c9f2e06ff14648ee12cf3b3c0de120adeea1159ff897f3ef1b49791476d5c7132538527ce39f2648d4007be4ba9af2e1b1472f0f2dff3922f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b5e2ea7a5521be4b43d0aa48bd76278

SHA1
d5a68cf1aee2b26e78a170ab13568631b098490a

SHA256
d4848cf946f0429b7f411e229029791a17117f829047100a701b61fbb7643274

SHA512
5303b587fba068ff7e85a956b42f5fda1f029744463a1240bc513cdb7b4f7f3c532429d1a8553ee4aaa5b095dd59e78dda4e491067d267e9944f212a5653c171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6dceb41e34cb1beaa1cfa6067218a237

SHA1
d4d54a96dc7de1e5bb76eaa5f68ecbb479260829

SHA256
07010bbe55243297a4e43910478496d3898d3f9ee33bc7389cd6d261ebda2b5a

SHA512
f2c5187522ae99078d5197b39f8fd05ea3df6e7703ad9a9964ecfa7c85a8ae8ed81976f5925181f25dd9b294105c2dd22717b22760d970f0dd21923e87fd9d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8e2be6bdc57dda564442dd7fea3f552

SHA1
a42e154b1c7d0e15088c1aa67f0cf6188098dc92

SHA256
ba9dc84a3581b681d1f6a8b9b2099912a4e176a6ab1b3c7019c725626c0b3a51

SHA512
de76418208e8674580fedbcafb3795789623234ade242891ffe834a6c438023ce14729bd829cc59425a292b07cc6b0b4a3b4e856b50a42c49a10854a528de548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
801e6bf382de6cc06f2ac516b58b35c4

SHA1
204f52981c1ccb48a1d9074e60e17c953a35f77a

SHA256
1fabd15f711481cae7a3bbc7df24180a24708924e9c95d7605b4f3747edaec12

SHA512
929df765ee5af9dfcfde9908461bb330323d22e4846c74fdff98407f740c2c072d884dbca67c059bf1c997ba67fe9931c8b18ac29062790dc6ebe63ab64f13f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d494913cb1b6c70f7a4f2b081213bd50

SHA1
28d039f8dfc7dc0527569ac890f25fe6bbd6889e

SHA256
0d64cda0eae81f4465ac4ab661a3be93c9f1696229b1dfc4666a31e2c44ed371

SHA512
f841f1d32d658a98e603e21ecfe429de06dae887d7f0a92d0f9b2e036ce2369717eb194171a034d5839ab1ff39a0227f35d774e3be8d904ff6eff4bba7622ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f09783ac76d1941acd41ffdb982d41b

SHA1
6d0743f9714bcebd7500c6437c0704284c5bf78f

SHA256
aa6551b26c4246eb4271172669742d55b066b785dca4a26a2e191eb6e632a33f

SHA512
6047339ea4ecb2c1bd10abe47a80d15da51142d04a2aaef46aaa99dd0de185f0b229d7c2c250dc799b8c3c0a476dd69294f6bd0299a73c862feb19d2aaec8f5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5841b7.TMP

Filesize
538B

MD5
8fc871c348b0cf7b4fc57c64dcbc0133

SHA1
b2f75f0561a2ed330879aeabf91fb03411654a3b

SHA256
d47992c67635ab7757b9536152935fd795e8836eb3bcafd32c98be2fc110c5d8

SHA512
2e5aa2373f141a68b83eb3e9fffbf312aa4343c3df6cdb8d3fdc3883b19a8955f3473050c8e160612ddd4c3ab575582ca0277541af76eeac7781c89af83084f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6f6feb.TMP

Filesize
1KB

MD5
5383ad55c2f0082efa562d75cbd87cfd

SHA1
c5dedf70846e5392130f1d5af409ac3d0c7bb41b

SHA256
f70901e496a908878b3427f6b8adb9b3e99aad42cfbee31d0b9aadb4a9556558

SHA512
e7f94091bed6d3321a368a580b267a13edb9799e98a8aa6f1c3efeff6b9fa77159ea25d7d29549ff86b5f36c86875b5c4ef209fa2c60f35cc67c61f9b4f441a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07b161774c76743b2093a2658a097632

SHA1
f79c8b5f94f5ae0b66e7141f34705d84a00935e9

SHA256
4eb3f5b378102a4d3a4f408c65412c814799c502ba98449909cbedd9e589d2f7

SHA512
ded30e05f3c7358f92f9a6d0d4241b7a0f80ccc4732c18d3bf2754bb4d000ff1e0ab806b18fb6e6ca87f0f9a833e9b7872709e0a0cdc329fb9e1c5f8195997ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84983a7691ae096243c52a3c91d561d6

SHA1
b36a104e52a827ff96f6368b1adf606770ae9b80

SHA256
263cc2f0202523d27978e4ea69e367a9a5393fb521b3902b1f7441d1e76d5ec3

SHA512
e7b5e201542cfdbdcb93ccd9322a79a5cdd53819fc2bd30b6eab9b241132aeaf3d333d3300a4ed13e77c2514e49308e8ae52799092561543c86084f47a824282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f091edbd5614be2612e2d9558b746fe7

SHA1
f0ab21c11282c29934723303cf2c0cca90c7f8cb

SHA256
a96c4735db9bd5c5d7f2c36316333becd8940553f1a6be27bfc10f7df00cc7f3

SHA512
c5670ba606ce7c0dba8d6d82769a6f7f7385ff6eae01cf78d8e72b6f8f56439a1dd5227cf0fd8e49eea51651d5fe35bfe5986a5e6c60f5de4f55e1ac5fa07f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31de9863bc7fe4f225c2327e71aa6ba7

SHA1
134a35ed6da8a4b1b1dd8d62d89c88a3c2f2d866

SHA256
e46dddd091442848f0872d47667c2897c4f87ff93bd3022834f98ec623172977

SHA512
71900f099f976a1041a8a9a48db6f6af4451f42f3067aa1e448ab1f99d249eec3acf6d57cc07a347e28e60b2db924dbb777d39db6e21ceefbf1ce65c77dda374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98dd0795df45e52c7a655b98beecd05c

SHA1
050d3d7b75235d8ef1788e89bb27eb604ae0bef8

SHA256
cd0e8d0e79627a508f5e44c0f607a3b8d62ff2251fd71273d2bc9de0df32d820

SHA512
406e625b066e1d68dc117659d7879746e3b35611815fa49e3a5575f8d622fdbc3b7933d0cf0965857f995f876868e8b08d19393825374e6173148a044e1bd5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e27b5f7c27e7ae192b3abf2d89a7d5c4

SHA1
acd444e6d3b368e0d157e3c8ed9d1020291ca7d9

SHA256
f9083afb8cf97a8cbb9518be5e10407a2cb6fd3ce07d29b3dd7a33095dfdf7dd

SHA512
1a07aa0d386f3e28144fbb9901ac52664875714c3f4d2b48dbb8620107387705b9240838eac2ec5fe0ba51fd5ebdabeabd946f5a6df8de93d2373db7e8c7ecf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1ecfa7dc584bce0f2a2ead4f02fe9dc6

SHA1
f078711c929f3a503a2cecda7801b5f89f14703b

SHA256
01fe1cabc073852540293a9692c79cc67929eb15ef86bc5ff90961a3344c2a86

SHA512
14c798f8930c2a81a353f57a3c3ec2f130a75394429216923246d7049fb87a72feb3880c145fba7869887d389d87c4270a95a6200d3760058e46dd99e88d0950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
129c3159149fcd4daa690e11a8b2d73e

SHA1
5320aa07bf111c50f04c77a7d3fb24d65076cfb3

SHA256
2112a79c77a07255e90c3eb697f29b898d6e1224ea2f4f65f2ea5a181e2cd01b

SHA512
5bb435c3d2fae054fde8829f2f23259a9301d4e90f1ab55bc2454495f7cad8333aef8aca7ae8d4c1c2807258f3981ae0f40b464f5bd3a1d8412ceeb3d1604b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b8939328d23644d65165b3dc6c123dd

SHA1
59e374d4b8f043258b891cb5a36f50321c93d85f

SHA256
d9094bf8204666b205dd95738d97a19429055912d78a89ec88139a5ffd5496c9

SHA512
0aafd8cddf4e012334ab47676ed83282ddb9159ea7c9f94342c1070807cdf4442eaa21990367423feb0d619506918ca666897da8d4711f3146e2f00a5487d36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
adcba962cd680d5d2b4fb8fcd38a7c7e

SHA1
3407e28b51834a1c439cb8b4633239c53ec5d403

SHA256
d533f7bae3dd0d89b55adb8f3d2ee5fb34eef7b72a272c5623c7a6076fb4ef2e

SHA512
c049761006d25bfe5bece0e8c4539179ec8a0196ee3be7661c6891cb7adbf34a3ec353f2d0b1a9e05d1b1f7513a28c61bf40e6b0f94957539338e6d1f647f08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45210fb56f389a8963cb5cc6d47d2192

SHA1
28725dd212bd26e2362348937a8a7cdd5fbf476c

SHA256
c4638a7fa60f0d3b3caeb805ed8159f97177dd3bdea1e886bedeb9baa789c79b

SHA512
35567cf17ef4b31f71189c9a88602f4e56b982db955113ae80268a4fb924f5e462ca4728df676acb0b964dd1c328e1f56e270c06c7545cab26a6c2ddfa0de6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a065dc027ef88811a2b054149644dd3c

SHA1
954be4c0296c1208b6e1168d324da3625d058305

SHA256
89f3f884acf790a2bfc72046866eeb5ff48ac5d596d3d37e69404c154f40f8a2

SHA512
aaf1815a56e641be4d51ebd3b417329bcbcdd9a13b3de5c943d0136958a82f6be1a058e151c59485552c5c918fac42bb25e0ed9a75c03cdf2c8c320a5a1bbbfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05fcf91986a10c83440d80b78a4aeef7

SHA1
7ed1715aeafdef076fff467231bb67c0bb736574

SHA256
c523f8918b4be23895fcc4851977b0b42c981eb83c17b1136db285599bf94614

SHA512
a3f5ca2a876211caefcc6692dc09987424c4df97cb897102e028e2984f42c25b13b9d9e100f3e70e0fe66fe3239afe4c0c0eb6acb7d9edb69997f952debd2b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7d2fb3c6a0db9e2ec7c66a192c911bd

SHA1
3dfdbbcb8d6891f5f68d9345ba4726abd69c21ea

SHA256
70769b3373e78b70b00f240bd5929b8eeee071e614b785b11e1f9b25a519e489

SHA512
af4993f92b55578a4d83efe3e1d4fd07fabcd674998f28ced7738c2c859b5a0daa3600e93cf9dc6c2f10dd0038aedf45a1309f5323fda8fc7c13d6ef156d563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cbbbab812cead25e3dae859047f9def1

SHA1
b9460b35cca305a4c37ae01e5729b899f59d904a

SHA256
12cebcff2b7f843d4f96ec5b68f174490f75df7ea3ecbb3a40e82f78c47e1a61

SHA512
fac4bfff9fc0b72be6d391fe8f66a1ca15e94c3ab110525c3eb9ff9fc878d5d2b90407ffc68e5bd68817bf6b892ab30724f36b014b06410cd970b0440966c141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29024d45bcc2e235aa6e54445a3e171d

SHA1
36fe1d827d01ee73bf02a50a27b8a529bbd54733

SHA256
6e35a0ec4879e2c0e45df93e145d4f34c4ba411ca45130986522e98e3a16d561

SHA512
9b52f192f6f78ff384e8d4faca1e9c263e7ff7c3dc7e835ff5b5e61f2f31d5ef9d736ee3d534b163a044b2894d08fbdf07e8935cced883b657885b24c6d98b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9a81a8d0d6c80de926a1efddcecaa1b6

SHA1
6d6702fc0696dc9ae60e4245e23319db71104a99

SHA256
d82efea26f932b6edfd68144aae06fa4252283152ddc71897ab5be77b336c348

SHA512
b22bd45c1b2f24446ed75e3926e691aa5bda785ee4333826179dd770aae81096584bc6914d44389b98b83b6fdb0ce2c365de0ac2e661733699a9820225261aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3bac2b017c4f2f5239ceda442916372

SHA1
1cb6b69b7b4e095937c1da8f2c01639760915950

SHA256
6edc901482fe2042eb99683cba8502e7993272dd7c34b4e0ae8fe4f1b41f1a18

SHA512
5a084db5ac4b64f43fcaed97881ffb2df1cca4ea242bc0fdb1e2c7d85a273b99d5d403938adf93e03e4d4d370a7a93524af629a4a65b4c847a16cf001f41afce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e58fd545e8d2be83f1494d2055c4952e

SHA1
d13c105869bc576aed3332866b9c4d729e037f93

SHA256
e91350ccd0236ca195ba802924962f6ebc8a6b771bc0785746c75dd3a8b45119

SHA512
75db282271fe90c4ed392a48a78ae0b7388ef96067b03134ebfe92f54e4c74f39cb6ad0074583969eb53dbe269bb069b1e294793c0487b3258850aabfbce59b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1365b79265585dd019e8d51b51fd2cef

SHA1
d0f74ce19f745cd483f9998ee5c00be7a707a264

SHA256
52eeb10c25f4eec942f0cbec6b8a4e17b74cc386031149ade36beea94bae5681

SHA512
b1379762328442b347801fd9521369eca9e9515deffb6833ad3017f98775c72314cdcbfe47afdb6bdb16a9da2ff725df6309b396dbb146af9e5559414fd1db75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store

Filesize
10KB

MD5
c3c6b3f8296ee0464e2957e7ed77b527

SHA1
24d7d914835515766dca91b45e99923212fe27f7

SHA256
88d6865978ed46cf26439760cfaa30e67dcd4ae0c7f2f40894d2d5aa23e08c44

SHA512
6a85e78bf5b411e6a3d0bc83e813eb22615ea00a89704f3e5b26286dc272793ad8cb47aaee12cfcf009c3c6124e32640acf6f966d61dce44f8978671aa54f7d6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei

Filesize
23KB

MD5
011bada08d600540d409517b7f2098cc

SHA1
20ceffe8c18855cfe8ae42eb221fca20b6e8fd84

SHA256
45b908cd6088404cf9d6e0521495ac6e4ed3976a30c97322cd521c1da8f04734

SHA512
3d87859b48c84565caf29db45115a198abe24afc8c5cccfba845b20e7a076158e1df572b71683e6bd971fce720835a65aa90c9e9fb1ead8f38edb8ce83765055

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\296491734540810.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\MYDOOM (3).idb:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\MYDOOM.idb

Filesize
152KB

MD5
c83169032c4d8bd2da5a0623800e08da

SHA1
a2954d47bc8cb4c18c6a98dec7bb01251a4c2376

SHA256
7a6683931d889f317d701498bfa4f2c3ad9e519dac3e4b5655d9f76f38f5df69

SHA512
4f6c496a27c8d6c5989109111e50b09df395ecb35517c73abc88914d0acefcc26a671907bfa7d4bb09676431ba460682d70913404161835ea35abb2d6f06a93c

Download Submit
C:\Users\Admin\Downloads\MYDOOM.idb:Zone.Identifier

Filesize
205B

MD5
c1662b87dc962c5cdcf120184b6a61d6

SHA1
f40506556670d8d8c7db86047aea48ab607680f4

SHA256
fbb8bda955d56c2b81ea13589bce2ae8a68423eb8a37d21b963eb37aef4e48a0

SHA512
2d263444b6cf27475c99dbab709cfec9dc7dfbddb8e10596abf786aee745cac227563fea3cf01a19d27a37d2f627c1fb0a6fa3f3c6a58e5ff2b7fded559cbabd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 100027.crdownload

Filesize
1.9MB

MD5
faa6cb3e816adaeaabf2930457c79c33

SHA1
6539de41b48d271bf4237e6eb09b0ee40f9a2140

SHA256
6680317e6eaa04315b47aaadd986262cd485c8a4bd843902f4c779c858a3e31b

SHA512
58859556771203d736ee991b651a6a409de7e3059c2afe81d4545864295c383f75cfbabf3cffaa0c412a6ec27bf939f0893c28152f53512c7885e597db8d2c66

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 164134.crdownload

Filesize
128KB

MD5
7bd8a009b84b35868613332fe14267ab

SHA1
d36d4753aab27c6c5e253b9926406f7f97dc69a6

SHA256
56511f0b28f28c23b5a1a3c7d524ee25a4c6df9ac2b53797c95199534f86bbd2

SHA512
ad8e121f601f6698d720181d486da828781f729ca7880fb35c6fc70f021197e4a508dc46d980108a168ef2c6c89a62f3140e676ff71a1e40ea3e397ad0c63261

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 192543.crdownload

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 27112.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 657746.crdownload

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 741448.crdownload

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 743611.crdownload

Filesize
72KB

MD5
da9dba70de70dc43d6535f2975cec68d

SHA1
f8deb4673dff2a825932d24451cc0a385328b7a4

SHA256
29ceeb3d763d307a0dd7068fa1b2009f2b0d85ca6d2aa5867b12c595ba96762a

SHA512
48bbacb953f0ffbe498767593599285ea27205a21f6ec810437952b0e8d4007a71693d34c8fc803950a5454738bea3b0bafa9ff08cd752bf57e14fedf4efb518

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 772913.crdownload

Filesize
2.1MB

MD5
f571faca510bffe809c76c1828d44523

SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 887141.crdownload

Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 887141.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 892033.crdownload

Filesize
7KB

MD5
d2b8ea4a267c69040c7d3ad80f64f8ba

SHA1
ac2296b3fcaed80221c78d3a3cd9180b86bd33e7

SHA256
aa14a4bfb1e6de52750cc89b91cacbe8bd318634ccb54fa835f5e2c5d1d2f633

SHA512
4a0cbd391ae029a2262e43320c96e3f25d1f4893eb4f144cb90f248d364c11e98f6440d74a413417eee5bd9fd0c0968d53e1c4a58d8617ec80cef876759e4758

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 954792.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier

Filesize
225B

MD5
f4425426342c5cb87c78f2d87a554e5a

SHA1
10a35f6b5b6529b6f22f5d2a667cabf8aa360f9b

SHA256
e018ef0c98aa6f62e2c0272f5d44e784133e186556168bd3e87fb3bbc18978df

SHA512
7448ad707eb0fb2b26eb701320c2fd9e98464e50d9f7b9ca6dd3e0a74f06f2005c52159a4778d023ebe6c47686c9bc700f47163779491ca0c6a8670a7ea7ec4d

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/652-3031-0x000001F4896D0000-0x000001F4896E7000-memory.dmp

Filesize
92KB

Download
memory/652-3061-0x000001F4896D0000-0x000001F4896E7000-memory.dmp

Filesize
92KB

Download
memory/800-3029-0x0000024144800000-0x0000024144817000-memory.dmp

Filesize
92KB

Download
memory/800-3060-0x0000024144800000-0x0000024144817000-memory.dmp

Filesize
92KB

Download
memory/1524-1652-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1684-3010-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1684-3014-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1684-3009-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2648-3020-0x000001849B5E0000-0x000001849B5F7000-memory.dmp

Filesize
92KB

Download
memory/2648-3042-0x000001849B5E0000-0x000001849B5F7000-memory.dmp

Filesize
92KB

Download
memory/2776-3021-0x000001C5D5B20000-0x000001C5D5B37000-memory.dmp

Filesize
92KB

Download
memory/2776-3032-0x000001C5D5B20000-0x000001C5D5B37000-memory.dmp

Filesize
92KB

Download
memory/2928-3076-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/2928-3077-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/2928-3017-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2928-3074-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/2928-3075-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/2928-3073-0x0000000005110000-0x0000000005127000-memory.dmp

Filesize
92KB

Download
memory/2928-3016-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3356-3035-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3356-3037-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3356-3036-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3356-3034-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3356-3022-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3356-3033-0x000000000CC80000-0x000000000CC97000-memory.dmp

Filesize
92KB

Download
memory/3492-3043-0x00000287F21D0000-0x00000287F21E7000-memory.dmp

Filesize
92KB

Download
memory/3492-3023-0x00000287F21D0000-0x00000287F21E7000-memory.dmp

Filesize
92KB

Download
memory/3808-3024-0x0000018B10820000-0x0000018B10837000-memory.dmp

Filesize
92KB

Download
memory/3848-3045-0x000002586D9B0000-0x000002586D9C7000-memory.dmp

Filesize
92KB

Download
memory/3848-3025-0x000002586D9B0000-0x000002586D9C7000-memory.dmp

Filesize
92KB

Download
memory/3888-3026-0x000001785B1B0000-0x000001785B1C7000-memory.dmp

Filesize
92KB

Download
memory/3888-3038-0x000001785B1B0000-0x000001785B1C7000-memory.dmp

Filesize
92KB

Download
memory/3984-3027-0x000001F773B50000-0x000001F773B67000-memory.dmp

Filesize
92KB

Download
memory/3984-3047-0x000001F773B50000-0x000001F773B67000-memory.dmp

Filesize
92KB

Download
memory/4052-3048-0x000001D35F4C0000-0x000001D35F4D7000-memory.dmp

Filesize
92KB

Download
memory/4052-3028-0x000001D35F4C0000-0x000001D35F4D7000-memory.dmp

Filesize
92KB

Download
memory/4204-3030-0x00000265FC350000-0x00000265FC367000-memory.dmp

Filesize
92KB

Download
memory/4204-3040-0x00000265FC350000-0x00000265FC367000-memory.dmp

Filesize
92KB

Download
memory/4556-1599-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4556-1597-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4720-1528-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4720-1529-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4820-3058-0x0000000002D90000-0x0000000002DA8000-memory.dmp

Filesize
96KB

Download
memory/4820-3056-0x0000000001620000-0x0000000001651000-memory.dmp

Filesize
196KB

Download
memory/4820-3052-0x0000000001010000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/4820-3049-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/4820-3063-0x0000000003210000-0x000000000328F000-memory.dmp

Filesize
508KB

Download
memory/4820-3018-0x0000000000410000-0x00000000004CD000-memory.dmp

Filesize
756KB

Download
memory/4820-3041-0x0000000000B00000-0x0000000000CAC000-memory.dmp

Filesize
1.7MB

Download
memory/4820-3059-0x0000000002E80000-0x0000000002EB5000-memory.dmp

Filesize
212KB

Download
memory/4820-3057-0x0000000002D40000-0x0000000002D82000-memory.dmp

Filesize
264KB

Download
memory/4820-3051-0x0000000000F70000-0x000000000100E000-memory.dmp

Filesize
632KB

Download
memory/4820-3050-0x0000000000EC0000-0x0000000000F63000-memory.dmp

Filesize
652KB

Download
memory/4820-3064-0x0000000003290000-0x00000000032B7000-memory.dmp

Filesize
156KB

Download
memory/4820-3046-0x0000000000E60000-0x0000000000E86000-memory.dmp

Filesize
152KB

Download
memory/4820-3044-0x0000000000CB0000-0x0000000000D5E000-memory.dmp

Filesize
696KB

Download
memory/4820-3053-0x0000000001130000-0x0000000001242000-memory.dmp

Filesize
1.1MB

Download
memory/4820-3054-0x0000000001250000-0x00000000012ED000-memory.dmp

Filesize
628KB

Download
memory/4820-3055-0x00000000012F0000-0x0000000001401000-memory.dmp

Filesize
1.1MB

Download
memory/4820-3039-0x0000000000A60000-0x0000000000AF1000-memory.dmp

Filesize
580KB

Download
memory/4820-3062-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/4820-3019-0x00000000006E0000-0x0000000000A54000-memory.dmp

Filesize
3.5MB

Download