dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/raw/master/Trojan/MrsMajors/MrsMajor3[.]0[.]exe

Analysis

max time kernel
1800s
max time network
1176s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Trojan/MrsMajors/MrsMajor3.0.exe

Score

10^/10

dharma agilenet evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (534) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 22 IoCs

Processes:

MrsMajor3.0.exeeulascr.exeCoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2800	MrsMajor3.0.exe
2732	eulascr.exe
1300	CoronaVirus.exe
2636	CoronaVirus.exe
5776	msedge.exe
33412	msedge.exe
33456	msedge.exe
33436	msedge.exe
33460	msedge.exe
40112	msedge.exe
5816	msedge.exe
5820	msedge.exe
42960	msedge.exe
42984	msedge.exe
5744	msedge.exe
33420	msedge.exe
43016	msedge.exe
52180	msedge.exe
52220	msedge.exe
33088	msedge.exe
33048	msedge.exe
34412	msedge.exe

Loads dropped DLL 15 IoCs

Processes:

eulascr.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
2732	eulascr.exe
6872	msedge.exe
43004	msedge.exe
42952	msedge.exe
43016	msedge.exe
33456	msedge.exe
40112	msedge.exe
33460	msedge.exe
42996	msedge.exe
5784	msedge.exe
42964	msedge.exe
5752	msedge.exe
5716	msedge.exe
5816	msedge.exe
33416	msedge.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B611.tmp\eulascr.exe	agile_net
behavioral1/memory/2732-212-0x00000000006E0000-0x000000000070A000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-771046930-2949676035-3337286276-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-771046930-2949676035-3337286276-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
14 raw.githubusercontent.com
53 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
1	raw.githubusercontent.com
14	raw.githubusercontent.com
53	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Forms.Design.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsRow.types.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\tr.pak	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\PREVIEW.GIF.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\createTheme.js	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-80_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ir.idl	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Fingerprinting.DATA	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Extensions.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-48_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\plugin.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\COPYRIGHT	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-lightunplated_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ul-phn.xrm-ms.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@2x.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js.id-75A0ACBC.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 36 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exemsedge.exewermgr.exewermgr.exewermgr.exewermgr.exemsedge.exewermgr.exewermgr.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

38620 vssadmin.exe
38616 vssadmin.exe

pid	process
38620	vssadmin.exe
38616	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771046930-2949676035-3337286276-1000\{357133C9-5CA0-42D2-9DCA-1ED25EE1C682}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 43591.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 402306.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeeulascr.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exe

pid	process
3500	msedge.exe
3500	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
2276	identity_helper.exe
2276	identity_helper.exe
772	msedge.exe
772	msedge.exe
4368	msedge.exe
4368	msedge.exe
2732	eulascr.exe
5000	msedge.exe
5000	msedge.exe
760	msedge.exe
760	msedge.exe
536	identity_helper.exe
536	identity_helper.exe
3132	msedge.exe
3132	msedge.exe
4724	msedge.exe
4724	msedge.exe
1036	msedge.exe
1036	msedge.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe
1300	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eulascr.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2732	eulascr.exe
Token: SeBackupPrivilege	38552	vssvc.exe
Token: SeRestorePrivilege	38552	vssvc.exe
Token: SeAuditPrivilege	38552	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MrsMajor3.0.exe

pid process

2800 MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4540 wrote to memory of 2184	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2184	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 1056	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 3500	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 3500	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe
PID 4540 wrote to memory of 2712	4540	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Trojan/MrsMajors/MrsMajor3.0.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
2⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
2⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
2⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 /prefetch:8
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,14451472772093962850,3345918048406067504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4348

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\B611.tmp\B612.tmp\B613.vbs //Nologo
2⤵
- UAC bypass
- System policy modification
PID:1748

C:\Users\Admin\AppData\Local\Temp\B611.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\B611.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
2⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5744 /prefetch:8
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
2⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
2⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 /prefetch:8
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,14666940969352811198,17830021116662060034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:688

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:4504

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:32804

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:38620

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:52060

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:33172

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:38616

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:31948

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:32252

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0xe0,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
PID:22500

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "22500" "960" "836" "956" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:37984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:22480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
2⤵
PID:7056

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7056" "864" "828" "860" "0" "0" "0" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:30176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:33420

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "33420" "744" "544" "740" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:37876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:33048

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "33048" "868" "828" "864" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:30420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:33088

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "33088" "868" "836" "860" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:38732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:52220

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "52220" "492" "540" "508" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:36868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:52180

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "52180" "880" "844" "876" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:30164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4336

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:12544

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:12532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:43016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
2⤵
- Executes dropped EXE
PID:34412

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "34412" "860" "828" "856" "0" "0" "0" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:35212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:5744

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5744" "860" "832" "856" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:39076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:42984

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "42984" "504" "532" "508" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:38712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:42960

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "42960" "860" "828" "852" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:36592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:5820

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5820" "868" "836" "864" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:38900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:30576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:40112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:33436

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "33436" "536" "912" "548" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:30396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:33456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:33412

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "33412" "868" "836" "864" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:36576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffceda33cb8,0x7ffceda33cc8,0x7ffceda33cd8
1⤵
- Executes dropped EXE
PID:5776

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5776" "868" "836" "864" "0" "0" "0" "0" "0" "0" "0" "0"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:34728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:33416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:5752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:31160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:43004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:42996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:42964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Loads dropped DLL
PID:42952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:38552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-75A0ACBC.[coronavirus@qq.com].ncov
Filesize
2.7MB

MD5
948e832cbeffe7e55cb6120f76ee31b8

SHA1
e48caec2cb8d272b32a50b8a963bcfa8f80768c7

SHA256
dce4cf8d848bd7b7e1af98f65253809933b7be8e6e9e48f4d1be2cce81c2c623

SHA512
708f6971dfe60f25d3d5c49d00a194bbc38b05a411eb8cae4488057d6300f170e41f2cab9f2e87e235a1b9bd131cc18583c9a840e785a6958044654b1eed6959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
604B

MD5
ec7f080523a1959d7a3e6ef54d9b708b

SHA1
875735761c2427357a580452f1d121a6031e4636

SHA256
47ae86448c34fcf43f2d4ed89b1164b3a9c6e8e86c479df5643086047ecccda2

SHA512
0327b678ee8fbe0a6e89e45c3acc7f47813601d856804e70802419fa63e4ec69c33bd34a3e8b1b934d3fbc85d4966efd80066bbf2db45d2cdf0a9df2621e1218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
604B

MD5
07db3101b6e548fc216271ce66014a14

SHA1
caf6ae73bf7e9d051923435940202ba84ac3fdb6

SHA256
c3727cc8522998df4f710a0a7b672a977de0d340754dd6ba393cb52006273180

SHA512
6a21b59307101a0a4f87df631e2ff4e4bff70da844c982683db9bdf470290b2b0fc60a768fd55e879084629b34d58d0274e4fa5a0d6ec644d066650c727e7f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
898B

MD5
debde2f2248a7a20abf87c8fbddf8dff

SHA1
860a0efda6da03a8acbc3d8d6fe4dbef3607830b

SHA256
5ee88df29f4af15b8fc17f2177eca74c5cf98e0c0a14a3e027e14ccc34481845

SHA512
be3463862733a9cd080373faa34b911ad538eed08233d642c3d2554f21ff546e38f674ebc86ff2bd983c21c7c0fc2aff4c2e0d1b4f0523adb448a235c515f31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
1KB

MD5
3bf441a83d3ace693353ed5e81f0cdb4

SHA1
2a5a84f963c86ffb7143f4888e6a960ab867b7ee

SHA256
43d0f4adfb744e5df188da6b9dbabb5edbe2454b97971c15f60ee3b64a1dfb34

SHA512
3f52d831053a8065f6b9a12748a1c129e4ce6dcd23894b9061d23c359fd4b6681ba951d865d974cfa6842fe83d9536b6695ded8e2424de559102f6202481c887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a54d3c65-8be4-4142-b7b1-9866457bae0f.dmp
Filesize
4.1MB

MD5
d36bf387b2bfce5316271593bf77a3fb

SHA1
3c2c44b14fbaa0af1066d04be99361cecf1e10f8

SHA256
0699423909d302feb6a5ed989155a851a3b4e501d23d5a97c3f020dd46c600d6

SHA512
30cd28dcf8474afd9a459af305f88add4fe99ba0220083400403a7a5369d65d9c0d0b498134d23a2a5b8c69e1748f90a47fff36a6aa76b9fdd3c253cd161c994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0d8db542c2beda61ad57f41b1fe23036

SHA1
1b88962be1d5997367daa7e16a24bc98f36f6bcd

SHA256
8b03e3a678381ca7be2e901f80e7fa69d7c34227385bd38749da1c7c552e58b2

SHA512
77da760401df139407d872f68eb84c483356c4f78ff355615c0eeee901e7aec51c4ab1f121edb29278581a781253dc4e23928ffc9480538aaf95c07f1af3f0b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
861e16ffeed332b77a87ff29d4b3fdd8

SHA1
f4f9e5cb73c7ee2b0f3c2cae933f723ed0197a24

SHA256
c67ef97c9dcd5f75e6946126402c5c91c47a43d7678c0533cbd38d07d7b95b3d

SHA512
8bb37a351022b3db3803ab4adc7810eb73c32eb473a1eb8cddeab955a19812aa76ad1e2623a17b23d1a87833637141caf686eafd4134457ac3d758c946266562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
05ed8d7350c6abddb2413582af13b728

SHA1
98b3e6793352038355ee54fc58828e5ca1cf0f77

SHA256
878b0ffac96b1428cb415ab15b289258dcf9fc175ac2571622e4dc1219f32c01

SHA512
b80bf631b56588daf08570c05aac9a67cee414403149c223a005a7dd9c81b5e8d4c6f175815106f039d47c1bfef875ecbf65efba106d5107b137f2aabe446058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db02cfd8d47e3f7fcb0598df3aae86e7

SHA1
40182fa0729afa3f68b6f427bdd5bb0aeed91214

SHA256
eff9bdfd4bec68351a9b17aa7090070ea0adf18096a567a71f8a2af1df752be8

SHA512
79702e3cb629353d6971e7ec81fb622ef1d889b0f6b98b68ec4de79082920d89729b537acdd6f4685e62a36fcfa7633c6d5a4e030674a4122a1fd5ac7cb3c815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
71eb6ee14d939c5ecd970ff27e6a3aac

SHA1
51507f508a8eed724dc236dae1b3873c1b28b1eb

SHA256
9c70d05c3cd76b22e9dcdd95aad387462967f6b3844730b825a2df23598c8cf8

SHA512
90089a77734a45c0b61067c42f5cbe2575c38b0066a6b8966b4f4a7c5281aadc3e7789a9f01573202ea82ebcd4498db62280650ae8c3a96acc61c274373ff35e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
604ecfbf8158f05f01435e194cdcbc2e

SHA1
86fad407f50eb8beb021bb902b7f5e00e334f9af

SHA256
ceb99bcd4b41d9f794fd37e597e77750b0ab0d975fb82e3e63276e7844c1c857

SHA512
26003d94884e4bb3cecef341fc6654e92f9992412d375aa124a2d1800896801d1348571ebd43d5f3acb0a2987164db1263397ae60944758e2391bdc41145206f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
4f05af995c14e567d6e0847068230001

SHA1
95ef54c4aa61b2468759fa028754242752f6bf36

SHA256
5fe0ab6b0a687a9e3104ca6fe8afead7234d43e475b68c59b22d93b1a156fd78

SHA512
769c0749adcd3f1549dda976c41804cea1c7a166eb0eaef2f024966192ee1a745877a83cffcb20e9b56bad954ec96a736274407e5d4aa2afbb30f98d3d21b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
480f0f913de975057885eaec859645ac

SHA1
c4191c9fefa73776e741300fb028eb7094a6c79b

SHA256
0758e7ff4bd34258c659d656323d3b90ccdee1981988b50256aa536662b8b549

SHA512
e3c8f65c13e4c5e83bac8bf942f5c04076d4cbe4ba4b10687dffba654fca327b05b463aff5f1a24fdbd312f40a0e86e178c7666508d8c800b06a9400c37bea1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
e7e5ca02118798d10792e1ef64c18bbb

SHA1
9a98929c890d8b70accea88592d254d8d6fe57f3

SHA256
95fa3b32cf80a84d4ff1f7edd71bd22cf12ae042453355101bfbafca7d4e26b4

SHA512
aaf3cf891864577ab3d3303ef73a3f98036937cfc7fa5e91413bd7ed9aefab5e4b75c9a5e53eebce2d90adffdc315d9bb36b9149050b8795dd209bea68b4e247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
04903e0ee5a5a64a60b0d0442b10de56

SHA1
5783aba559cde1375650403a0455ba576dde803e

SHA256
219d2816c67430a3aef7cc6cf429989701f9cfb0eae75a8142af3c90092c268d

SHA512
f64f8a3b5d1afd178eee01f40f2e26c265a1048c192a8df27aa7915fc68071b24f70f01b82ef5f7fce2a87716f0c328397a37d2f311626ccb37c195848e4f940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
ede36de6c95785000dfeb58548496486

SHA1
def4e2cadceb35ace7113cf4563be7e6965a5f51

SHA256
b58c0f18e202f4c57e304aabd278545394a172c8783391d7fdcc9bf21f64dcf0

SHA512
d95b46d743ae17756cd9db5aca4b071dbbbb884da338d950e5c78bb33aa36fa3bb965745c66630e918fcfb3df47264f34141d0861e7d2c6d787161389c15f593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
116KB

MD5
029a6b1082a833a3da60524f1775ea64

SHA1
555ed24292d594929153c84cef5e3dc1f6756856

SHA256
160702b047944897adfcbcf2617db014e33c3a028b07e3346ed1d17331ee3c9c

SHA512
3f48e939d5a139e21ea7f4feb2ffd97e6041a2176ea3f8932c921e1f2fa01b105aea7e8a785efc8733d4bb7dcd4ca1e16712d64a51c1d969ba547c563f2bbfb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
4ff8a5ab8012bfebc2f4eb1537fd2059

SHA1
cd77e728741789b36ddb934e92ace8cb640b38f8

SHA256
0e5b9636bcb338557c76da9144e804ccb2a723e26f553073d2cce12f8b744fd2

SHA512
a29230663b2581d25ac7e20fa5ca598d8231d9c87970eebe6df06cc8cac1a3347c78d08befe886c60940979a3e8b192d735fc536736a3381719f444c3bdd304e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor
Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
936B

MD5
d54c1a98ec0b6dead22fd8688866e88b

SHA1
c3a83d4827f09081328de82cb44e5a561ec48d03

SHA256
140d736a3c09db142e4f7b9bc875da6662847721a178ae5c6e8a34a910adb3e4

SHA512
d313d2d8d3fca18a5e89071b7168e748e233438a9b07bd740caf9c178b267cb832563286132d946a95f44475afb7c706c3aa1cf1c5e87d797a4558bbd6e78f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
133cde94a3a2c4fcee32226967ff7260

SHA1
3a94010d053f0e6750aa62228274e5b9dd0e6950

SHA256
a4a593faeb5b28a8e8f726686579b6889a905b8a2a6d7eb20c465dcbeef90cd2

SHA512
a839f1a88b90902bd3612cea9709ba76efba10396da10a539071dc8e83e8ef242a633e270ec0401eb30b0a298f9eca31ebbd0ea40cf6a4419b01c4dea8eff7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
634a196bbc626a52ef76e39e57a399a6

SHA1
57c6f774da8db81d1756eefc051360eb64401920

SHA256
5f7c7e0df29fe29526535bcc72819112506a116bbe71f6fe64aeff61a5f44423

SHA512
db767fbc532ae93bfaf001ac18867220ec5535db94a9f6fce1ac8dd56ff6700f0ab01bc38f4a460e4996b0158c73f26f1b1c532d990174961b70a5a16e0879fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
efd84daf86626bec5e15486709f1ab3a

SHA1
61e2f56331434be4595a057b3a5f88fe6423cd6a

SHA256
f95ab9bf83f6cf4ccce056c2b99b3514b2fee950320fbe2d68a2cf10c755dfbd

SHA512
8dd4240f91bfbbe34ec7c31a7fc71f814d7ca7ee69b49c40f34a502280e699f584a34542a6c94cfbd0108d7c431fe08fb084b237996672c47e234521589a91b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
038c87ac4438db556697ccec14b9e509

SHA1
c96f9c4d8e7693eb2a7acacaf1dc26834cc8b491

SHA256
0454d16bb8442e4bfb8a7d314635c219a5cb3a5426e0200c8b902824320fa0cb

SHA512
d49d614e6cf5064b029d1caa87ab3ed0809da4df415dbbbddba70935822d3aa9dfd8413b54f4f252e0112579fca5e8f2b1a763e8255cfc7bb5ba2c40c1ab2706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
afa98d05b0f902c8cd2f428da53c35ae

SHA1
548036a66dfe5b52c08b132563f2bc848ac50104

SHA256
25c688a44f449485ffb4ebbc98fecf317812f34d5dfabd8039fe696db26a6e53

SHA512
14e12bf2c7d22439b5f168fa6e9adb59be21946d2ff8798bdbfd205e94a3e267404155deaef6c3835994d06c3f5706763d03752d956c04730f02be41d0fd69c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d17f364d91b3a73564a725dc72d719da

SHA1
669326418606b1ffcdcda46f771f64f02cbd7533

SHA256
1d8bf1c759c6e50f23a30cec1b583e23e30ed1822b41e5dc28d66033caf798c1

SHA512
b9f4f11f78b7464d16cedd7bd0a02738ba766c3d1dd75319df6ca5e02802bf30e736f160754ccfd29586ca7b0b25819eeb31c4262f8a68c9fd6b697d1da6b223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps
Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
3ac5af97b175ce98a7505e7041b56813

SHA1
842c6585f724d54dfdbac73e6399ef9779fffe1e

SHA256
0c71165e29e64e6ef720a51ffe19bd3f4f2fda61dd8dd563c1a081659e917786

SHA512
89db0d0ddbf02149aad3e14d96b565ea72ff0117c2ee8cb710e1ba698a0c40502e55a9066cb693b8df3e7f35749456ced5b1d8f6512f898c7458142f10995e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
3da3cf652acf7e0fee298963e8cb77d3

SHA1
8d35e8ba0767c10324335e8fc8f5c422ece4e504

SHA256
9b436ba7a14d3947bfe73fa9bd581f6fbf0acbf26e97a3a54d6d032d19f8cf64

SHA512
89e9555edd366fedaf79bf4c6da816a69fb220c987337369511c4422034cad486338a261eb6954d000dbfa636c969d04b65de62bb6df9c023ca5e11c892ee83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
Filesize
118B

MD5
7733303dbe19b64c38f3de4fe224be9a

SHA1
8ca37b38028a2db895a4570e0536859b3cc5c279

SHA256
b10c1ba416a632cd57232c81a5c2e8ee76a716e0737d10eabe1d430bec50739d

SHA512
e8cd965bca0480db9808cb1b461ac5bf5935c3cbf31c10fdf090d406f4bc4f3187d717199dcf94197b8df24c1d6e4ff07241d8cfffd9aee06cce9674f0220e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
319B

MD5
6b69e52174681fd1b04f3f6f38c75082

SHA1
c261790b3e146cc8d228c79871ced776e40b9072

SHA256
eb072c7527d2234968889ce0ab31cd51c7ecf053871fab1d7516561a3493dc5a

SHA512
70c1cbdc61ad326ead761afcf8a86a7500549db5c170a90a8157a0233aaa3d420911d1f0247c6d76e251e50c64be7ecb9cb202e1c166495df019c0bd00d14702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13351857404175507
Filesize
495B

MD5
47f50cfe8ff6430ff42c9754903a9319

SHA1
f9018829a2b734797aa68441176d2cd1d6d91f5d

SHA256
825e4ed80b0295b42adfd33a5011d44cb50c2b661420f8d9a47dbd0954ea8f07

SHA512
0abe3bb052fe871d96b41e0c5bfc0d7273af8d8f0e1c47b59b47e11762b2373f7024ba1a2ef423377f26b1445594618b5a6c49698d492dce5e313a3858e31905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13351857404441507
Filesize
808B

MD5
e1743459362b093a419fa27836eb3e73

SHA1
4e4319e7a8b30aa6da42007dd8c207ce79b20120

SHA256
0933521739424abd6c0212b93753d9d60daa0b5758cb27f63643e10b67656547

SHA512
bfe7df970ebd8dc31f34f30d9e2ce96fac5fd26936f603817a7e333b3fa5670f367a966b80a87320cd5c03824ec654ed477f7eaadf2156230e4a40935f9a477a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts
Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
ba90b25ea02d9821f045eafebf98aa9a

SHA1
f898ba23648ec8b73ba0be088bc2a2242e39df29

SHA256
40397f320a7537d0a9238c6b9e9a4cd18561ee8aaceb9a17c8e5dca6eb4d7bc7

SHA512
b0c60c160e15275033656df8ebdf37bc7eae016f56bed48fe82a75747dcde62e0460eef3c8e5eb0f39b062b90a74aba8cfe5f1ab57bd773fd24a97dc207e483d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
a6c36a8863da5632400d2168ec579f91

SHA1
c9a8c7a8bbf9ed71af4a20d904e86016d5420ac3

SHA256
a36de51d3d12299bc7b785c96182b2c1daa4ee3d92fcdbaca457f1e406de8bc7

SHA512
4f7d150dd73ce388e711a3be9a285b2c69d5e8cac61a939ebd077e5411344691868e2e9cf5c6bd16c6292134f7dfaab2954fe9df89e1ee6e81278358e015ba1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
371B

MD5
3e5314bb812b3144efe6e5e74894850e

SHA1
7382c1330f85a28683edebbb561b91c6befff3ed

SHA256
fdd15be0ebc14f1e2bda94347c1ed587243c1f0d3d9e4e419bd37ef38664e1c0

SHA512
e74a0307c051701c34c1a0c3a677f4b696926eeffaa9349727d8388e6c3c4bc8c3cfd0aaf99a854e95ae8b2a482a6edeb6ce8c17b7b24f93f88fec8ae0a8f271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
543ed0b235b70d049a8cbe725c318254

SHA1
ffc079063005f5f2e7d6bf783aee5b8d4e9e9ce0

SHA256
a9b3f3d1a015cc36322af331c27ef4dd968a82a9f162a512873a12524cf2f520

SHA512
2a6ae7610b1d95bca3ff557a61d32131309bfdbf954fca0d8246125b068f7856039b41e1af33d1981246bf5760ab867066e2496fb151cfc0842b3bb060d81b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1e514ddc0680c003d3dc4319036b19ec

SHA1
b75e0fe25a6bb3dc53da70e5289d2bcab8755854

SHA256
6e119702230cdf4d41fd02b6b47cd1580abe71beb84cd4af07a09867a3a0aea7

SHA512
d696e09cb9c9706933e8f604e34da4cf30d9fa41e14fac149792fba6f93a3a6472230b5cc286aefc3cbccdc03d598a489b09284e237f5687f4219ad2b7951d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ad8b5384-939d-4df3-b577-237d084cfb77.tmp
Filesize
4KB

MD5
f75e81b2a648d609421a6e09a44e5bf8

SHA1
3eed1da5b3fc069b3c9ce10f366fb529b868bc88

SHA256
9645c1b00adf355e1f2eec7969c6227f7b455b3a56034cb170ca5956f8616c9b

SHA512
3a0bc761b7e2f20eb27edfb612030feb0fe20a23ed90e40494ec883ddb620e9b73e2fecf73ed4b0d005c12ba8911280f6434fe50df9f7408f9f4873561c76e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
200B

MD5
7eb9c3557f88cc507ff2eb7e1da128cd

SHA1
d5f9801b2401a26da063b30a7220c987a7ab26c9

SHA256
79b0f48fd2f51240a52466decca67827c011b2d82d0b59317600f312d776269e

SHA512
3266b9169b5c43156d391ef928e5a20ccb5b294ad1e1dee011ecdb65a69f4ad8c1b04f41d98a3032310631f852d802a88e5e1972143cad405136d3cc8ff5d6ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002
Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
801ec548157b639e31f8ac2508e52c89

SHA1
6db308d4b42fa43c355d2060ee2ee6387c7fe3bc

SHA256
543a6190674ee2b3eb1e882658e420e9a5a268c2e1ffc4a93e87a1a8d5c1ce30

SHA512
7c4d5a56de91c7aeaaa18e7bd024343b6e1bc0006d082c5c03b94ca87cdbac5194ada4e4e3cfb49e2152b54b45eff2605f418e4706a8276a709f38b379e2193d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
4KB

MD5
91b1e9b95d3c4a61c79dad3b1d518a47

SHA1
3723b58ea6928f3ee832d2cc0f88577606f76326

SHA256
6d63e90c3552ff95cc3f5f462f5fdc0d9ef2fdaf38aac4576af85c3ca76eafb0

SHA512
021c1a4820699e9929de918b5ed8f9c4c5b803f8edd48f97c861e91557070b484f596b81a4012621d4bba0cfe56b94fd4554308fd7a43239a4b921b5a4b99117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
b60aa592e25966c697547b9f7e178a96

SHA1
4bd7ca02abeec2c1a6e8d8f75a46b054362b3701

SHA256
4b0206a92ec3860160e43abc428dd3aa3bb6b058b4ff80967aa8c2bf4207775b

SHA512
5734639a978facc9aa7a6a7638617df2e682552a0ec71d7ff9ba4d7d895ba34e9780508ec26037d70b1f0a727cabb4047922ec9a4747ac1ba92f0dbebf2fdd26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
318B

MD5
c9d2bd9dfc74360a6ac26a5d1e979a63

SHA1
79a8baa5ac075b7626f0e02355f657e82fb519f2

SHA256
3afa895795178a3c48081fe63337f5d71e8dc8f48415712669cd4cd93ecccdd1

SHA512
afb868889007f0815d48174be186548b593cffb9ae73ac9c79478bc8567543149540ed17f84ebe3a5e189217bc49fad9cf87069284076bd86c7e7a0d09ff34aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
c0fdf6fc29454d9d2fb1cb46967693f8

SHA1
c557c185f2f8c5f742cc0dd65e79fc04a300d930

SHA256
2528b2cebfbc4bba60895a5ec54086b7e62b84c6f6652f2c04cd3558f175899e

SHA512
e4e157b722e3734af36e94bd3dafa376076fd00d4a1951455b410b68804347fc88301d3d79fdf128e327f03a2e8e8cb2cc7cde83994bd029030a591b3c8380dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
3f15be513332d0a5a7e967e1b7f2dab8

SHA1
5e5e247f347689894eeaa774a869a8dadab391a8

SHA256
380f8e74669dd43ba16dc47cc6d47541cbee84f35e8eddcc47cad44b2ce5d07f

SHA512
706a555b7c8a49dd6c7b11f229f439c2c23e515cc48165956d483076376c762425fd11e08310a197265f3cdbde2c9bcdc29940007bfb41c7e62a6a49423fd2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
25828ab2557ad4d21ec66ef3b4e56422

SHA1
1ca953d4f1bec62cdd739e9eeaad1558510f4507

SHA256
08be380831c50385fc5be2fbf2cb652affea44743dd0507b9dc59542fcb93fe7

SHA512
372a90a9e2c737a102271e04e10645ce5b67eeacc48a5c88b987171af84af32d61ea4efd681f8bc0edbb2e5b66dce7110284e17121767710138a5a5dfefbbbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
54381ea6c95fee2808405a880bb9c3f6

SHA1
92c65ea2c1e6809d877dc148d7509e887d1dcf29

SHA256
3f21b681f9b385d51ea2c08554c875177b20005dd08b4e8c77314dbd6ec71f6e

SHA512
6e659c565d9978e3ddff679bcabb717d755245161808903959356a685aa654dab3669b7db968c451e62fcf78efc24c46b9f37fa166922723727f53bccbf9102e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
b1e29d6ccee2e150e3d54fa13eb1c816

SHA1
3aa017409edb9ddd357022df4c87c1384de9d5f5

SHA256
0bd78988b235ca4bbf151527dabb5d21bdb5073fddc6df74cba3d68fe1d39d79

SHA512
bcc07d9474cfbeb92cc337dc5b054ad8075e33abbfee7ff3ec7009a5bcc7927ffb6750c6957496d8ba28a187bceb932eea3012b88b8fbedbdc2c32ce8106d24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
23e561a6edf0e7b20877c26b711654f2

SHA1
0471eaf8857a9c6bc8c6d4ab7ab9ec274ce684ea

SHA256
a6c44ef90be0ca40643fb5d1de5f3fa8bdd5e0be5deaa22e5b948e9e86660c07

SHA512
2d30045d94249106a87e5de6872fc67cfcf708fc89f4bae123db9cd5c2f31bfb804cb24b290fa9be16501aaed50a31e862ff26a9ce5d77d894da0554e7fa7dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
2174650c38ed88db62ddd42283e436ff

SHA1
08763799774e66f7d36a9113273a38f56f168628

SHA256
232ac7535d8dddb9c8ba42a3a76414fe7dec0f91aea2ab994f0a88ddb58fe8bb

SHA512
aece6b7e81516af68548c8f28170b929b1991a3827575ab173c99f13581cdb2f244f27a633bb0e6f08a5f95887c4938bb4409e045faeb096c8b8b02be0c2ac91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
93e221739c240ba026440ea078738582

SHA1
441a386771b8a8d54fd1dcebfc965324cfd629b8

SHA256
73c02a55ef446c12644eb5f34a87e49bd6ad19ab2d268bad392d4ab5bf119c1c

SHA512
e47924ed6541a651f9b48e9d7fff1327f505c25da4578ea9243d3cacedbdd43b89e780755bb930177111308f7400ec57875e83c3fa73b36f5bab5728cf1332dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
a153ad0c81f2e0edd603da9419bce91a

SHA1
cbb86387cc2b23de10ffca659f8729745be798bc

SHA256
eec79798679fc1accd2e5bdb4f4363dad3d384d081ae3d27f445eeff6c523eab

SHA512
b765268541289ef54c1ad1d49b2768cef726445c457af24b769634902d45264644bc6a444703342d6bfca904f65a2b4be90765d4951ac7122277ae64ff8958dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
4B

MD5
213ca1e40a593e9afc0bbb04eba83afb

SHA1
434e4f142547d814ed9473fbf9cd808db078893a

SHA256
253517b2f4284ee32e55898a91cbba76cde6fd75f44c2c02b6678a43de326740

SHA512
eb98af3b1ae251eeacdd4356a87c54a09ed62cc8db03a163cb36bd3a317144f51619bc39f9b4fcdeffe1d7275e290476738a4813a0c0373ad660fadbde55dfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\B611.tmp\B612.tmp\B613.vbs
Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B611.tmp\eulascr.exe
Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 402306.crdownload
Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 43591.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
\??\pipe\LOCAL\crashpad_4540_WFOKMCCRJJXFURPK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1300-6112-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-666-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-798-0x000000000A6B0000-0x000000000A6E4000-memory.dmp

Filesize
208KB

Download
memory/1300-799-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-24638-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-12988-0x000000000A560000-0x000000000A594000-memory.dmp

Filesize
208KB

Download
memory/2636-13261-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-24639-0x000000000A560000-0x000000000A594000-memory.dmp

Filesize
208KB

Download
memory/2636-797-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-221-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2732-220-0x00007FFCDB170000-0x00007FFCDBC32000-memory.dmp

Filesize
10.8MB

Download
memory/2732-219-0x00007FFCDADD0000-0x00007FFCDAF1F000-memory.dmp

Filesize
1.3MB

Download
memory/2732-212-0x00000000006E0000-0x000000000070A000-memory.dmp

Filesize
168KB

Download
memory/2732-222-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2732-223-0x000000001CEC0000-0x000000001D082000-memory.dmp

Filesize
1.8MB

Download
memory/2732-224-0x000000001D5C0000-0x000000001DAE8000-memory.dmp

Filesize
5.2MB

Download
memory/2732-226-0x00007FFCDB170000-0x00007FFCDBC32000-memory.dmp

Filesize
10.8MB

Download