dharma | hxxp://Youareanidiot[.]cc

Resubmissions

31-03-2024 14:38

240331-rzx63sdf2v 10

31-03-2024 14:35

31-03-2024 14:31

31-03-2024 14:27

31-03-2024 14:14

Analysis

max time kernel
658s
max time network
646s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Youareanidiot.cc

Score

10^/10

dharma persistence ransomware spyware stealer upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	msedge.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe

Executes dropped EXE 13 IoCs

Processes:

Floxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeCoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
940	Floxif.exe
3944	Floxif.exe
540	Floxif.exe
1848	Floxif.exe
3364	Floxif.exe
4944	Floxif.exe
2124	Floxif.exe
1436	CoronaVirus.exe
22460	CoronaVirus.exe
9528	msedge.exe
9500	msedge.exe
9800	msedge.exe
16100	msedge.exe

Loads dropped DLL 11 IoCs

Processes:

Floxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exemsedge.exemsedge.exemsedge.exe

pid	process
940	Floxif.exe
3944	Floxif.exe
540	Floxif.exe
1848	Floxif.exe
3364	Floxif.exe
4944	Floxif.exe
2124	Floxif.exe
9528	msedge.exe
9528	msedge.exe
9800	msedge.exe
16100	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	upx
behavioral1/memory/940-1192-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/940-1195-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3944-1217-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3944-1219-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/540-1222-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/540-1224-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1848-1227-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3364-1230-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1848-1232-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3364-1234-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4944-1267-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4944-1269-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2124-1281-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2124-1283-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

127 raw.githubusercontent.com
126 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\Info.hta CoronaVirus.exe
File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

flow	ioc
127	raw.githubusercontent.com
126	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ThreeWayBlendPage.xbf	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfcm140u.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons2x.png.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\or.pak.DATA.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLB.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Input.Manipulations.resources.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\PREVIEW.GIF.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White@2x.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_common.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\AddressBook.png.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER32.DLL.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\calendars.properties.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-default.svg.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\nl.pak.DATA.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\WMPMediaSharing.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.scale-200_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-lightunplated.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\AppStore_icon.svg.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\IrisProtocol.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\ProgressControl.xaml	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebClient.dll.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bg.pak.DATA	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bs.pak.DATA.id-DF96F5A3.[coronavirus@qq.com].ncov	CoronaVirus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4460	940	WerFault.exe	Floxif.exe
5016	3944	WerFault.exe	Floxif.exe
1484	540	WerFault.exe	Floxif.exe
1996	1848	WerFault.exe	Floxif.exe
3388	3364	WerFault.exe	Floxif.exe
4220	4944	WerFault.exe	Floxif.exe
996	2124	WerFault.exe	Floxif.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

10012 vssadmin.exe
22000 vssadmin.exe

pid	process
10012	vssadmin.exe
22000	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{00468E4F-F9B6-491F-A617-4427F3FFEF77}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 859398.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 219791.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 678806.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exe

pid	process
212	msedge.exe
212	msedge.exe
2732	msedge.exe
2732	msedge.exe
3988	identity_helper.exe
3988	identity_helper.exe
952	msedge.exe
952	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
3804	msedge.exe
2444	msedge.exe
2444	msedge.exe
412	msedge.exe
412	msedge.exe
4488	msedge.exe
4488	msedge.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe
1436	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exe

pid	process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Floxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exeFloxif.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	940	Floxif.exe
Token: SeDebugPrivilege	3944	Floxif.exe
Token: SeDebugPrivilege	540	Floxif.exe
Token: SeDebugPrivilege	1848	Floxif.exe
Token: SeDebugPrivilege	3364	Floxif.exe
Token: SeDebugPrivilege	4944	Floxif.exe
Token: SeDebugPrivilege	2124	Floxif.exe
Token: SeBackupPrivilege	7288	vssvc.exe
Token: SeRestorePrivilege	7288	vssvc.exe
Token: SeAuditPrivilege	7288	vssvc.exe

Suspicious use of FindShellTrayWindow 60 IoCs

Processes:

msedge.exe

pid	process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe
2732	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4228 OpenWith.exe

pid	process
4228	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2732 wrote to memory of 2272	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 2272	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 1020	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 212	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 212	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe
PID 2732 wrote to memory of 620	2732	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Youareanidiot.cc
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa53c346f8,0x7ffa53c34708,0x7ffa53c34718
2⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:2
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
2⤵
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
2⤵
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
2⤵
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
2⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
2⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
2⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5736 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
2⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
2⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
2⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
2⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 432
3⤵
- Program crash
PID:4460

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 400
3⤵
- Program crash
PID:5016

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 400
3⤵
- Program crash
PID:1484

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 400
3⤵
- Program crash
PID:1996

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 400
3⤵
- Program crash
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:8
2⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2292,18419155760311356699,2738451513114273353,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:3348

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:18096

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:10012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:41960

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:7244

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:22000

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:7312

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:7376

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Executes dropped EXE
PID:22460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 940 -ip 940
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3944 -ip 3944
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 540 -ip 540
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1848 -ip 1848
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3364 -ip 3364
1⤵
PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 400
2⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4944 -ip 4944
1⤵
PID:4552

C:\Users\Admin\Downloads\Floxif.exe
"C:\Users\Admin\Downloads\Floxif.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 400
2⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2124 -ip 2124
1⤵
PID:2908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4b12551de77140709330c079221eb267 /t 7364 /p 7376
1⤵
PID:8380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault89ea150fh644dh446eh860ch57d8e08dad27
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System policy modification
PID:9528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa53c346f8,0x7ffa53c34708,0x7ffa53c34718
2⤵
- Executes dropped EXE
PID:9500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7626816423639965827,5000938841917939810,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:16100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7626816423639965827,5000938841917939810,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
Filesize
72KB

MD5
ccf7e487353602c57e2e743d047aca36

SHA1
99f66919152d67a882685a41b7130af5f7703888

SHA256
eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914

SHA512
dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-DF96F5A3.[coronavirus@qq.com].ncov
Filesize
2.7MB

MD5
e611b2d5e17908d01ada00b3a0bf5df1

SHA1
db9a96f30193f33b5e512ec89c8a35f799b81a25

SHA256
8666e4940e2baf6828e929b8f5e676b2d4c25005051d0ed86133ebd33cb91a15

SHA512
f906d1ece3ad133669a12e362b16d95235de7baaf18e7061897cc64b2a9103cd6aa9bf7048f6351fa4f541dc71a5b564dda3002e303f08c8d4254f254d00c0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\452d491d-fd07-488f-8ec8-01375add8c92.tmp
Filesize
12KB

MD5
bb446ce68a6aba8f395a11d5db1d8cf0

SHA1
bb98036fed068cb000ab3669f5e104049be2fac7

SHA256
7f4a9a45d86e76cef6aa660c0ebc92fbe8e207afe19bc2d150bc899b5131bfd3

SHA512
a13a2b4d19581fd8f1d005324b6b1ef91dc6541de1c1f82c96105f041a762360f201cf6caa796932551da59f9744f30fe3861ba4e2b18dd20c13ef0bdc00ffb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce8ef061c71b3b532a507f2a12bcae17

SHA1
68f1514dc4522dd5e5da0e219cd200e2731d1376

SHA256
1893db140d9a0ba066917a748812bae79cee79a8253d955fffcd280b07db3491

SHA512
8b73d3cbba661ce3a901eb83f940881d675966beb3b0fc23d96908ddb4aea48369d04f0359086d90c970acebc5ceae9fb8e4c005913f42f3dc54136611f76aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
34KB

MD5
736fd708f1b321b2a84d7fe3287d26f6

SHA1
997e6fc05a0960b28c10422c42b7e3ed79be2c0c

SHA256
a3c49c1ac2dc2ba5609a4b54a70cce63e46fdd40567b875d4c9b201bfb2fcaa6

SHA512
d137cbc22ddab4a36d4a4fb815a3b12997ef26be894abc04234aa72ee5e5e8342b3897c8cebb907e1ad9590e71906ecc8f2a6ca435ed7cb56802ed320490ccbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
1.1MB

MD5
93feab00f76536d681c1b77eca2c7caf

SHA1
c48cbe893b3178a56357c132cae2fa63918d790f

SHA256
5da61564d6ae3fa4506522460d177f8b642b20bae63f81cee14b9ca71fd49226

SHA512
6276f945f1008c70bdc559a8d6a14c609a033af2fae6bd80c129da546e7df6cfb3fcdcc452508df8ee5be7a0a87a6f9930664b8b9726c4e52877802a9ceca5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018
Filesize
19KB

MD5
bfdcf12d621ea893e79ca269da93dd02

SHA1
5519303d3469cd9bbb4bf1e5ec31aa5eee5a5950

SHA256
39bd58789bcf50120e7032ec73512f9eae0e1774877e43130463c79da2e2f922

SHA512
dfaa03eb8ab710cdc11a1386d1a13b4f7624da12a1bbc3722541e4d5938a8022c58101f5597c3b2e4b545a39151308814c002c0d89a230bdae4f785ea0bc4fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
abf03334261487928dce94a333b53c19

SHA1
04437adbc7227d450e64ed0e3b4f73ce600af7a8

SHA256
411a406b2ea56556ae3582c577bc2d148f4a8614f1ba215a8c8a81c0d91bf6e1

SHA512
9c5a7d77e0095456393d061644dcdf32b4d7703d6424b796376d93f989dafae756bfbfc791a3990aad5d6aeba0df985271a68287e27b73097762cd1d6d338261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
98ad259299fdbb9a1682824eb597c575

SHA1
7f83d00505b451ca2e2d2e2d446a666330a111ff

SHA256
ce29365cae5fbeb75fd83068ce5e75c9fb7635fd034847bb659ceead6b6777ef

SHA512
947d0f1f368e95931ebee4ef18b224f51ceb3874c8f42a4e6648e196c50f1f6a3885573428ad0fe1ab60d453938691c9605106e6cdf781e0c715dd6d40e82ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
d89d1c22f5748967743817f39e23b8cc

SHA1
1b989fd8547c1cdf99b35df74761337b5fae2bd4

SHA256
0ecb00c245e077239f1282bcb16f27cce90502db9e370db26bd8cb15335161a4

SHA512
d18160535cfc1aadb1f598f7dec3cb5f8e88eaec28d30bcc07fcfaf7113fe241c677884ecf1b8157c01841c3f26ea1e8f7337e0fb780e44c9b80a8001459c18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
cae34210f31ee8ab492de7908cf38ab6

SHA1
5e44bbcae2803f2ee056e36da840c9925adf5039

SHA256
3778c48806a1791ddf61d21bff3b744102203412907840373806a7f748557e21

SHA512
69a9eb9b3103520d00a93f50784b37d786e33e19065af66e02d2a9c9d37dd6169b036ae0d599120dee3a814b8a4f49e4f2f762e1ef245fdc747dfab27e6863b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
7e14778b4a9848e40f072e150a4208e5

SHA1
056d9ee5c41221088d20fb5d57374d55ff4e5c32

SHA256
77e1356b14a49aa4215f1e8eda21ce659cf64ebbd16f9dfe8857290cb4d76359

SHA512
f9960dabc0e6607e359cc2c364272716281b7ca20ab2d9a0a3b63df7f6a839c206fab845bda9ab1c39c3522ca166d36fca052ec30a3e2c9f0d007dc29be8c741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
858B

MD5
bcee0250cdb297060d69d5c5d06a5479

SHA1
de3c4db41806c3990b6d402ab1b54f0f38d8f4dc

SHA256
9485c6ab81ffe8c0b70c37d952708569c6a0f149ca1a09750832ea8df9d62bd3

SHA512
5edc5456df91977f9a978edd77914d5cbe478c61e7c9da19b7aa9d6a3ea423cf14253cf4c24e87a146222f10d26fdf0c6315c49383b93177d659c5ccbc8a655f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
941B

MD5
52e072bf1d8d987055456bdefe82117c

SHA1
7a2f2c43ac4d35000e3f03660366aff6ee60861e

SHA256
ced88f828c4e5de16ef1dabd14ad1c48fae3a6fe37adabe49d3e4c6b2f4ac836

SHA512
661d6a7e70c167347495218649c09df611109a82d1af5df9287837097079ffe2e27adb6280f380d2bbaf64fcbce17bc45ba30948a5873722b41e65d662c3eb7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1010B

MD5
d8d1e21c84b228f18138b4a22a724feb

SHA1
10ab0fdb339ff595af3db4e060aba0fd697ad11a

SHA256
230380257fd7eb8e01d1e6727fc27c7dd3411ef4e4a8ea360c49f26104da8052

SHA512
fdbb50187b5861c3b0e01ea75ef1e0e84a4a813c416108955e9c8d55f6fbff12d7ca06f48245190c4986ad662945644b241c170f83e8bafbfab23961ca9802db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
97fa5cb02b7caf8839c14f7fbd4349b1

SHA1
34b97d0844b98ad3c450237a5dc3edfc7fa7ae82

SHA256
e4e78da337c0fa728c17c37c6ecd2cf6abde0d914520edffdb17244d7b478799

SHA512
c9556ba69bb4cbe5c5c8b26a3d5e21b078eae5bac8f2e99d0fd854678816f65bb057ae042c2308927b691824c8e6d7f49dd4e008fbee82778a0890722b18850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dde4e1fec8798930ebb6c9d125f46758

SHA1
b47a2890c193f41445baa682cd8ddada645361c2

SHA256
20c273b0c3fdafeae54cf246a1fa3fff4dc06301014f0565e7fb645143b2730e

SHA512
da4b18ba6c4702a12ce329c362e187ed6503eeaf2b3bb663e444efcad2a9018a5a7f68730b891b66fa3306e783f58f2be8221c657cb07b106667cf07e92bd77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8973138b3af979b805c5fbdd3d878dc4

SHA1
faf9e9bb5d292b286ae2285413781432d73a003f

SHA256
8bd07f4f8d5d02c182a462d97f4628d4b14c463400c9da14903953f951a1ba6a

SHA512
d9933c9304250d5a730e929c7ec21979ccfa7a03f32c3eb7ac89db5ffa7fb6588de45d462f8a2b82c4560a49e93a2bbdc955b1b126ab1318cff2e4a1234ed886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b12185741047b2c1865c486da9d8b9ad

SHA1
4e9f102934a9bca0fe94a4ce9e36a482246dd203

SHA256
0cf5ee9fba2562171c7715b904d46e32606e56cd23112dfd2babb0afa1d9e653

SHA512
161c5df3e398f99a0f8aa2432ae3a09897d2db67a9f511feb6d21747d6b02371af2f02cecb56e10da0cfb0991bf4fa71720197594f45797f95e2a897b8415f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4d764d99f19b398df349865eadf78965

SHA1
c5d268539e6f954941fb129db040ba6f98d0f622

SHA256
9fbb129920b6a292f904d077254290becc5164b008d9ae6fd7653624825fd21c

SHA512
79756fe6dcd04f8b62b462024c9c7a1c5395b7d1a07253de8e47021ce0535c35de82a0c1c88fd31166b816358a7b95bf62057630f283c8270f207994001bdd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
39646893a9731008a9aebeb98da1e96f

SHA1
d7421f1328a591136cf72c89f6e9c97d15f1e92e

SHA256
0dd402fb059b4b8d0c298fa4b2cf850427634ab341a2627f968ac19e0f191343

SHA512
7ea3ef937747f82d2c6f3b418d67659ab2bfe42ec7b990d8a6521228323e3076c96e5912f242fcb89ca27eb97a24ebc06caaf735fda785f599ac37ceb8c1a093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1d7488bebc0ce39d237c42b1d8f3bb5c

SHA1
e7149a701c69ad272ec26df182ee4668e82d175a

SHA256
93f528d40f90912aa638451421778586e05e62304cfe82a0af801fe6a8fc173a

SHA512
c893cd5ffdd9409bf0bef964440c626bf0c8d60a33d8e34668dfe9dd6ac1ebcabce0f4f24982b7c52543ec4e5e3b45f60f52719e00d5c58c648a7c190f6a4422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b1aafdbdeb5e07f2dace97c736d3f3a2

SHA1
12248b7ac6925e1afb0849c0abd1ea6c96db9a96

SHA256
c9f44c13ddb894edd4e4ce8144514895a76ad5a3c4ed7d5346f53df3978c53c6

SHA512
c30e9d422a51994b0ab9fed467b77fb21579a424ff07a217d5c6493a93f7b315ad378aff20381355d92fb22ce32fd486f519c7a82a3d292dba9b56585450c2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0c89ea1d916981a18beed90663173b17

SHA1
9f33f34c5bf89ecd4dd81dfd8a25e95e9a643f2a

SHA256
6aef93de026326ea1255fe9ef5996d908faf510b714734e5296540b983acfec1

SHA512
390dc945396dc4ec00d20e27728e867c13d182f8b43ef3aa645b4a24ae2468ed0ae8d85e20f8ec288afb691ffb3332f6b9b7bc77a96a8a1459bdcefc857c33c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c931b78d3b4a07ef3fa53ca1e4b2ea9c

SHA1
952006f44a9e83f2df66822711c6e335e6b752a2

SHA256
65d442e4a6dc034f360c4297e876a31cf45225e262ea99a8fb019a55a5cc080c

SHA512
97538b62741e36d436977d5c143ed0bbb6708c3eeee11baf776077fd6a9eec9b67d6fb66fd2d26547c0bbd5105552606ae727714b286d8075ae33d820fcc5fa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d57501066f5f2a766d625161ba5a3351

SHA1
d959558ef82146127f20f83305dc408cc332d145

SHA256
07ad03b81b574973347fbf7c3adcd2b79ec106fe5e3fd3950ba056913d41ff13

SHA512
26cea4340e33b4c20059502c2dfb38644873cd7beadc65b5a7c5c8ed00e74e6bb2f48ec246d2082d59a071ccfbd61c1de5a6833a4e336e1a61a7155b98cda697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
76ae5b26307f9787861e0c2fdaae89f3

SHA1
0a786cb460a66299546ffc02db376bf7fbfaf4ae

SHA256
75e3df9345d237a9fcf404f2a29c649ff53e604dc3ebe14a8df3e72934ded3fc

SHA512
61b90fc48215cce6b5ff6b6d0f4e3b487266bd48fe2b8b57c68c9d4001c9f89104f2bfd8090239943081a28e445338621e82629ea59fd65da96a25530bbeb773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ee054d3962a3f16c5b966556ffee57b2

SHA1
9295a533d69798125ed5814756696938498426d1

SHA256
46dca6ce17cfe05f7cde7c30925db1cef765637e2f15dd4c20fcc382a7cafc44

SHA512
b9303a279286bbf0870c33594678deef21f33a7ed7ed5e0a0671bb9cee2085b1d416e3d4765d4c989db8236850ed59d1e84b157fd26e4bcfaf28c613d3d2cc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f57710a142630be5845496ea4fc998b5

SHA1
dd84d2473178472fb14094055849f52337d81dd3

SHA256
9a24f07129eb46166b2c450304c59c9a26ad720809cd61734d617ed3315a0f50

SHA512
0c72e9b16fbc63e2483e7785326412fe04f6df8feb0162be15856a70fabce5d961dfbd0817f7f42f3c1b850cedae87e95c77c2795a6e962eb8c650299ea93465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ca811ba96c302719fee850d02ec759c9

SHA1
656443c30573824262ad2f32a9335686d565cb04

SHA256
b63f090bc1cb3f33b22cf7f4dd3828941744cffacf056afceab02053be5ea83d

SHA512
de081c59b4a4042ca802b625e3cffcd5040933d38f5d5b8091aaa08ef4a32a554da38d04fc22ac63037635cd9b5ef3ecb1042d56ad8f3b24f68ee1a2695ed722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
33875e4fab74787bc2637920dc48d2c1

SHA1
560d0acb1091d1d787efd41efd4a115d2c2b5a8c

SHA256
4fe8f8f8a43b45c7760bcebca27dede4a2778059b68477af3f5bb48162f8f7c7

SHA512
22b81ecd79075b71c2ab6218e7a22f5379c1f1c82b3f631dc4181da60cfad0aba1ec7ad44c37242739571c69360a586bd4d24665883bbe230756c03b08587934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8f4acdf68a0c384de11c799fbb8e09d8

SHA1
3500b2441c7ebbd77f9d3de00a66d9e050653bb6

SHA256
2397e0be05a6535cbb745298369a36d7b0461dc9c23daaadd850db4d6da4ee11

SHA512
0437fa560cdd76726a83c5d325087c43de76f8edc692c930441546403e8b2fe019ac39ce1d964485f4e33afabfbe540cf86c6a9dd0b97715344a7438d4bc0818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
07c2aa61e90c109e3337760c49ec219a

SHA1
e6c0900a5a5cc0feb61af4936b2f25f24edfde50

SHA256
872f0f42fc823c3c15e6d4855e0b6145ed0b7c48fa324be1c480144e6302aa7e

SHA512
81f7f67eb8c657dd322776bb55a27615056f93662ab4f3bb68d80db2effc56522b63dfdd589cd000dcb11de4a8ceadf2fcce2615787e3814a7ab9a42f702323e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b6372f3ddf80f404a06b4a89404c3863

SHA1
8477eae8348558f602477ffb20e3af3dfd45c8a3

SHA256
a1c9fee824b2f128f595c90897757a27f29a84c119a732ffb0e3fcde0c462a7a

SHA512
339ee0de37ecb015d30093d485b940b783a0292b066d8e42db099d792970c768676282091db2ca89a1aee20abd675f4b30a9929d59ae383198701e11290a0267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
cd940c321a81b789e489932d6cb9f234

SHA1
9d4e0ff5734bcf44efc8f7ea8a8ad5d6005608f8

SHA256
00b41459cda6158e776edbe9301ae4dae42d1256baf8caa8608eee2dd2113f5f

SHA512
701c559f6fe86741951e0f1159ef8b16688797802e509dfcc1f6576f53106f2d6f0b692b7168d5ac666a7350876ff2023c7d52390f6654a6c3616e5c953aef4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e1474a6eb9c7f58df5d4e94e1d9cc251

SHA1
85bf6ace2779b5da9c81b10f079b73ff9821338f

SHA256
947f448b9a2896d003ee00c84a39457286237e4d4c26be4aa92b661c8fa2d5c4

SHA512
ae597ab21528e0dabb9b57923ca0e6a770342a15606ab514c8f38b35496e4f0d5bf9b0b492eb6f422e4d17f335e27c3522514d49de7dc8b3381fb9cb406a30ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f910ca7dd6f552511334def3dc1c86d5

SHA1
dd45aa61d8470ef74cca23a4d8c225d523a0ae7a

SHA256
71773b9f6a54cc7559325405f07ad7639f7567db46e3d51c39c82fd07e3e0169

SHA512
e8e6d567654af11aeb48d583deb513a24a177fef48efd494691d245b80248e8210f3804235590ede8cfc768823eba24318dd4767d5871ebcb1c1091a3bc272ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e2ee.TMP
Filesize
1KB

MD5
4fdbdddfa7e914648e5069de190df582

SHA1
b5090e80ad83410b1cd621975fe4e4d63b15c8e8

SHA256
b6db9b78eec1977e4d9eec5d935d8601a7e5168e2c56d62f14fad76be7170b58

SHA512
287f8fcdbf8997d1f9b6513d41948bfb5afafba3f6f7294fedefc2b300205b3706f698acaed1986984652e407b1b15ae3f8ae0e25cdfd5a7a64d1bbffbfe065e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5fcd0d.TMP
Filesize
1KB

MD5
ab7b5c9a64cee1be559e69bca6c99e53

SHA1
c86cf4d81bd91661a43be05b0715e856540653c7

SHA256
648ffffc71e3888f5a2950eb6a15b4249559aa381b8a0feb03dc08bbb3258ec5

SHA512
f29241ef87bacfddc8216b436b51c919fd37a45e0add715780deca3bbd96a5c5b578af4bc493d3a2a20077eccb77f1f0f48c81aa1f13348dcc9ede97d7698d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
76KB

MD5
c5085427a19df1a483969df2cce71a4a

SHA1
7b796654519b9993d805e6e3927c3cb99b76000a

SHA256
f8805969ca9c50f16588ddd7b072a63a929c3a9571ec20444133ce8d1f10e82e

SHA512
b6a6957c30c9bbe8c6daf040a3115b2c096ca1214a999e32eec0ae55b3a4376cbac6097c854862adbb6417335000789b1e7a6e52d76392ce573e8e6a8608a650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
17b5cd7231f07ca04d751525cc623a6e

SHA1
554e23731a21d5de5b0f3aa442983d9da8533cf5

SHA256
7ab5b1cb702c2a2be4b24833f4c530eb65d121823dbe4efa5b3aebe8b202f0f3

SHA512
dc069d54bed6ce8ba2be2c7b7d82db4f84ca44771d1616d0fbdc1e5397ffa41ecced199b262646457f45ca5b2111815981ac85213b76e7f150d3ce71bd9400f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b18e4a6299350d25cee3ff87ecc345b4

SHA1
472a5240a6941070644d7721e4c53b106c01c23f

SHA256
9937b039a79b8abc58eea49d80d2efb6b4cafbc7ebca830c7041753eee3c7718

SHA512
63e279421894abab2da9a94af84c5117cc203eb9229f77823dee583b511f3fc817a5f0f89360185a195636044bfc8affbea03c12de9665de64a7b2586402aa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f7bc99d1e4ccb71b415f12e0a7c6c01e

SHA1
6dc2285e047a51eb22d14ad81021761008a4b955

SHA256
682a03a0fe036269bdb19f84d7dc0e497b44fc013d5cb2d8ac19f99f71ee9a42

SHA512
d7b8d8cb72b6e233c79fe8324280ef7778b4a6d4e0d735a1d4a4243649c8f07297ca6b7bcca243afcb292af3e5691e3d1105882d65a2edde451dab6430ddd7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
36fa355d446a684e6139f9e5027e2c6f

SHA1
798b5eaf446c998202e3913606fc72258a563f3d

SHA256
72c7e15dc34d411ed4fa8d23c30dc2edceb3d5f9ea69799665d95a1c92a02c75

SHA512
a39888d2816560f81ec504cbfa464b79bd57fb099c2605ab019ada4fe8632602709b41d956ff382f6bc5e2ea4294b55f241c215f865aca7e83cf60cff384b9d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ecb7df8b1ff93c2723daa81697949b5a

SHA1
af39787bab0039ddde8f5f170cbc06be9941e2dd

SHA256
a2158cf52bfdb4aba50d7402618955b4e89259861bfd6e6bfa0c38ee59dc5d26

SHA512
100f93262ca3a295bce114791b27f9e5459493f9ea76c47d177b4fc9872a2c24d20d1e91d0be01ef7b6d34319cbde53dcb981cd220e86cab5c6126383e39e6f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
60b5f2aefad6aa3e6a05dc860bfa4026

SHA1
7d926035546c546eb3f9b01c77a8cb834dd6be9f

SHA256
8545b56d09c69ef3b208aa7d2947d23fded6f64eb702b7c359ef6a7069b9b2df

SHA512
1819a588723ab342b3687eb249fee0735856a976b58395df2c5ae24452449337566035e7b5546744bdd02249168625a61c275769968b68b3e604934416d9e95a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 678806.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 859398.crdownload
Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.sln
Filesize
1006B

MD5
76b06b4f32c1a1d1cbd3767a11b9fdc1

SHA1
4da3da200a68c940c9f20edbbeaa159cbf910d90

SHA256
c23dcd400f98fc07f2f24411d681cc27cb3ddd4df4834d6456e0adbe9ad59697

SHA512
00974bb7139e60160175b209b4eb9ce73f93ea9e316adfe2d8595ada00b1f6d0bf7de6795aa6bdde5bca0a22a8395a368d69aba04265134fa2c06af7fdbf650d

Download Submit
\??\pipe\LOCAL\crashpad_2732_OYTIIGQRYYQATBWT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/540-1224-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/540-1222-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/940-1194-0x00000000002E0000-0x0000000000355000-memory.dmp

Filesize
468KB

Download
memory/940-1195-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/940-1192-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1436-5923-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1436-1373-0x000000000ADB0000-0x000000000ADE4000-memory.dmp

Filesize
208KB

Download
memory/1436-1374-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1436-1363-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-1227-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1848-1232-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2124-1281-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2124-1283-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3364-1234-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3364-1230-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3944-1218-0x0000000000260000-0x00000000002D5000-memory.dmp

Filesize
468KB

Download
memory/3944-1219-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3944-1217-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-1267-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4944-1269-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/22460-5935-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22460-19457-0x000000000AC70000-0x000000000ACA4000-memory.dmp

Filesize
208KB

Download
memory/22460-19328-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/22460-18857-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download