Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/CoronaVirus.exe

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail coronavirus@qq.com Write this ID in the title of your message 06426DDE In case of no answer in 24 hours write us to theese e-mails: coronavirus@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

coronavirus@qq.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (492) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/Ransomware/CoronaVirus.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd753f46f8,0x7ffd753f4708,0x7ffd753f4718
      2⤵
        PID:3212
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        2⤵
          PID:2100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2204
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
          2⤵
            PID:424
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
            2⤵
              PID:3924
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              2⤵
                PID:4864
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
                2⤵
                  PID:4836
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3892
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                  2⤵
                    PID:4524
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5180 /prefetch:8
                    2⤵
                      PID:4740
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6240 /prefetch:8
                      2⤵
                        PID:1148
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                        2⤵
                          PID:1700
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
                          2⤵
                            PID:1696
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                            2⤵
                              PID:1528
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                              2⤵
                                PID:1012
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5080
                              • C:\Users\Admin\Downloads\CoronaVirus.exe
                                "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                2⤵
                                • Checks computer location settings
                                • Drops startup file
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Drops desktop.ini file(s)
                                • Drops file in System32 directory
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                PID:256
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\system32\cmd.exe"
                                  3⤵
                                    PID:3040
                                    • C:\Windows\system32\mode.com
                                      mode con cp select=1251
                                      4⤵
                                        PID:8012
                                      • C:\Windows\system32\vssadmin.exe
                                        vssadmin delete shadows /all /quiet
                                        4⤵
                                        • Interacts with shadow copies
                                        PID:8196
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe"
                                      3⤵
                                        PID:7988
                                        • C:\Windows\system32\mode.com
                                          mode con cp select=1251
                                          4⤵
                                            PID:6560
                                          • C:\Windows\system32\vssadmin.exe
                                            vssadmin delete shadows /all /quiet
                                            4⤵
                                            • Interacts with shadow copies
                                            PID:6700
                                        • C:\Windows\System32\mshta.exe
                                          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                          3⤵
                                            PID:6552
                                          • C:\Windows\System32\mshta.exe
                                            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                                            3⤵
                                              PID:6924
                                          • C:\Users\Admin\Downloads\CoronaVirus.exe
                                            "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:4380
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14830991955889958388,13148227626037853477,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5344 /prefetch:2
                                            2⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:23240
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:3668
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:1544
                                            • C:\Windows\System32\rundll32.exe
                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                              1⤵
                                                PID:3252
                                              • C:\Users\Admin\Downloads\CoronaVirus.exe
                                                "C:\Users\Admin\Downloads\CoronaVirus.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                PID:31840
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:8760
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:28056
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:28092
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:9200

                                              Network

                                              MITRE ATT&CK Matrix ATT&CK v13

                                              Initial Access

                                              Execution

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Defense Evasion

                                              Indicator Removal

                                              2
                                              T1070

                                              File Deletion

                                              2
                                              T1070.004

                                              Modify Registry

                                              1
                                              T1112

                                              Credential Access

                                              Unsecured Credentials

                                              1
                                              T1552

                                              Credentials In Files

                                              1
                                              T1552.001

                                              Discovery

                                              Query Registry

                                              2
                                              T1012

                                              System Information Discovery

                                              3
                                              T1082

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              1
                                              T1005

                                              Exfiltration

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Impact

                                              Inhibit System Recovery

                                              2
                                              T1490

                                              Resource Development

                                              Reconnaissance

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.dll
                                                Filesize

                                                3.6MB

                                                MD5

                                                d3f0468ab060b92d082e69ef35c06d65

                                                SHA1

                                                8f7633f71e3f43028c3fc82ab8f4b0e7cef90998

                                                SHA256

                                                48d9bad75cc38de4c2c8d686eea813118086be24249c77ef87b2e8ba81b5e2d2

                                                SHA512

                                                f4c254cf0d44a32f67818a91e1ae7d7392c2928514d40bb30c7f5a54f69e5a06e2df21bfdbf7959ab9bd9e0d44232e9c6205c6c29a55bc36bb30189232e72e86

                                                Download Submit
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                Filesize

                                                3.2MB

                                                MD5

                                                ad8536c7440638d40156e883ac25086e

                                                SHA1

                                                fa9e8b7fb10473a01b8925c4c5b0888924a1147c

                                                SHA256

                                                73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

                                                SHA512

                                                b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                eb20b5930f48aa090358398afb25b683

                                                SHA1

                                                4892c8b72aa16c5b3f1b72811bf32b89f2d13392

                                                SHA256

                                                2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

                                                SHA512

                                                d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5339dad6-f9f5-4ed1-955b-21119315f46b.tmp
                                                Filesize

                                                261B

                                                MD5

                                                2c2e6472d05e3832905f0ad4a04d21c3

                                                SHA1

                                                007edbf35759af62a5b847ab09055e7d9b86ffcc

                                                SHA256

                                                283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                                SHA512

                                                8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite
                                                Filesize

                                                64KB

                                                MD5

                                                2b65c5d1ab0aa3f3f57c635932c12a5d

                                                SHA1

                                                b532c837537438e591d5d6adbf96a5dfe5c40eba

                                                SHA256

                                                c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a

                                                SHA512

                                                7d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
                                                Filesize

                                                124KB

                                                MD5

                                                458a8f1fd7c698b07c61c04a6b1e1b28

                                                SHA1

                                                a458df1437f615741e717495dcb49ae788bce9ea

                                                SHA256

                                                dfdb2fcc47c31cb6bb9d8c4605654426316826f930bd1c2b4fef8d81fab8ba1f

                                                SHA512

                                                47c0126ea8a8a2f932b22932c09f04968491c236cd449dc21e6ea117a2daadfa2600f4c254356a37c4dc6023e4364efa3697bd37e518383c0ce46849f1ba125c

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                Filesize

                                                111B

                                                MD5

                                                285252a2f6327d41eab203dc2f402c67

                                                SHA1

                                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                SHA256

                                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                SHA512

                                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                ea57d01582800ab05d6008ff23223050

                                                SHA1

                                                46bed2529536ed8bc3d3b666d0626df1b69ad5c8

                                                SHA256

                                                5a33b280f0785c34536aeed01691932ee0ad80db5b4e6a08281aa767d90f4d33

                                                SHA512

                                                4fa46fd85582d9bdb1cd6aa39c407e6548f194272fe3c36b972ed3250232e4e8ecee63084936189c20196d22dfa0a3d9cb542ec0198ddfe55004cb8ad7de2cfd

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                66bcb0e0e9a63193ef154a56659fcce2

                                                SHA1

                                                8e0c2735df4c40043f3448618e66152626718d3a

                                                SHA256

                                                3635050cc80fa3fca5c1cd89ae9edfc7f0641080629c28a752f8fd0ba9baf8f5

                                                SHA512

                                                da62dbe0cc6d75460d2a394970942ba058d519dc98b558965d6882173fecff51887cb9470ee042f23e8341ebc02dc0bcfea22911445d80ddb192b9416914f8d4

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                f82a90770597568fc98252b692558de1

                                                SHA1

                                                7e37a8094c1a94d75865a7cb37cf387f56966027

                                                SHA256

                                                06a3b9c2fe8295b13bb63b72f36fe021ea9f18c6e4812718ca090cc7243051c3

                                                SHA512

                                                b4b40c9b72a1feedbf82b0ee9f0366247eff1e8a2329a04b1cfa26e2e68e9f0bc45992dfa595566d74690f3a8d361450b7acbce406702576c063292ef951bc6d

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                                Filesize

                                                24KB

                                                MD5

                                                2bbbdb35220e81614659f8e50e6b8a44

                                                SHA1

                                                7729a18e075646fb77eb7319e30d346552a6c9de

                                                SHA256

                                                73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

                                                SHA512

                                                59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
                                                Filesize

                                                560B

                                                MD5

                                                2200ae50e218623eb66baeb6a77e1489

                                                SHA1

                                                6ba3c1371a1d196c390359aa848c8ef193941dff

                                                SHA256

                                                55353ef9a47b4a09ee452cab41219dba07b2b042d338dc4e8250c1d3184e0c5b

                                                SHA512

                                                7d9b0b16036435d2d69d8b7b0ff7841ccf557d838c60443ebc099bb601b0c8b4637e657b30fb094fec8156c7d7d8ff956c5ae32f6e402ae40fd92f3e9dbf7bb7

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                d60a24631e708ba301f3af0b0b297a6b

                                                SHA1

                                                60149a04f9fe89afb69c71b35d07af5690585866

                                                SHA256

                                                74e2a8712e346ee17cadadc979fc6090a769226a88a4b1742521b611b9b1c056

                                                SHA512

                                                646e63eea6044d60df57d07f2b8ec28da2ac645c4b92efff5ec25b45f6553c778615e4e991ecf22a70f8c159ee2e7e383d2a87c97861d7254b18c34cd829aaf3

                                                Download Submit
                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f8cbf827-658d-4da5-9b87-4d32325b9003.tmp
                                                Filesize

                                                10KB

                                                MD5

                                                12102d523d04c5392a48ef13932061c8

                                                SHA1

                                                0a05e2274a71bec2042689a2c829c59f4e5a8118

                                                SHA256

                                                7e3366277a1a619aecee8ecd669ba516cdd5a0c3e619df37a609ea4412089fa2

                                                SHA512

                                                f45aa3a29a1ff6cb01c0dccff7e7d0fbdbb8715e4c41cbdd1c10ffa3d063cd08f79484608326c9e42e22fa9cf6ed261c749e78ae77cea3bf78bfcae1ddc4ef0b

                                                Download Submit
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                                                Filesize

                                                13KB

                                                MD5

                                                cbaf7bf52369864ad3a0de6aa429aa47

                                                SHA1

                                                1b043805d459e00d044113307b0ea1ea81b98ab1

                                                SHA256

                                                b0a8e5ffc7c9e348e63a082014b4c17ce30c29876bd3061c27dead9c93ca6f0a

                                                SHA512

                                                4c10e70af358d4e8961d304bdaaa9f493eac7d648fe47eed16b506df283d2e6537708f83a1ee71d75d7362232b3ea66abab79f98288a7a4f774b17c9b36ab5e4

                                                Download Submit
                                              • C:\Users\Admin\Downloads\Unconfirmed 667003.crdownload
                                                Filesize

                                                1.0MB

                                                MD5

                                                055d1462f66a350d9886542d4d79bc2b

                                                SHA1

                                                f1086d2f667d807dbb1aa362a7a809ea119f2565

                                                SHA256

                                                dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

                                                SHA512

                                                2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

                                                Download Submit
                                              • \??\pipe\LOCAL\crashpad_3128_WZGWDJRCVZMNNKUE
                                                MD5

                                                d41d8cd98f00b204e9800998ecf8427e

                                                SHA1

                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                SHA256

                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                SHA512

                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                Download Submit
                                              • memory/256-2751-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/256-117-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/256-116-0x000000000ADC0000-0x000000000ADF4000-memory.dmp
                                                Filesize

                                                208KB

                                                Download
                                              • memory/256-113-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/4380-4885-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/4380-4886-0x000000000AC80000-0x000000000ACB4000-memory.dmp
                                                Filesize

                                                208KB

                                                Download
                                              • memory/4380-2507-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/31840-14684-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/31840-20169-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download
                                              • memory/31840-20728-0x0000000000400000-0x000000000056F000-memory.dmp
                                                Filesize

                                                1.4MB

                                                Download