Analysis
-
max time kernel
509s -
max time network
476s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-04-2024 14:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://vgdf
Resource
win11-20240221-en
General
-
Target
http://vgdf
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 3 IoCs
Processes:
Gnil.exedescription ioc process File created C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe File created C:\Windows\SysWOW64\drivers\spoclsv.exe:Zone.Identifier:$DATA Gnil.exe File opened for modification C:\Windows\SysWOW64\drivers\spoclsv.exe Gnil.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Drops startup file 6 IoCs
Processes:
CoronaVirus.exexpaj.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification \??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe xpaj.exe -
Executes dropped EXE 1 IoCs
Processes:
spoclsv.exepid process 5008 spoclsv.exe -
Loads dropped DLL 1 IoCs
Processes:
Floxif.exepid process 4424 Floxif.exe -
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll upx behavioral1/memory/4424-1722-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/4424-1725-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
xpaj.exexpaj.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 xpaj.exe File opened for modification \??\PHYSICALDRIVE0 xpaj.exe -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
$uckyLocker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Drops file in Program Files directory 64 IoCs
Processes:
xpaj.exeCoronaVirus.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll xpaj.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF@3x.png.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\7-Zip\Lang\ps.txt.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Trust Protection Lists\Mu\Cryptomining.DATA.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Windows.Forms.Design.resources.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\ReachFramework.resources.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\nb.pak.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll xpaj.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-40_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\ui-strings.js.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\BuildInfo.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-24_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-20_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-400_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-string-l1-1-0.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClient.resources.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\ui-strings.js CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Thread.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Modalities.xbf CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireMedTile.scale-100_contrast-white.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.TypeExtensions.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\Rectangle.js CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\msvcp140_1.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Northwoods.Go.dll.id-35536CDF.[coronavirus@qq.com].ncov CoronaVirus.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 784 4424 WerFault.exe Floxif.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 17688 vssadmin.exe 17540 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{E36C3D17-61FA-4816-91A0-F65BD955B2C7} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeFloxif.exeGnil.exespoclsv.exeCoronaVirus.exepid process 2568 msedge.exe 2568 msedge.exe 2280 msedge.exe 2280 msedge.exe 2848 identity_helper.exe 2848 identity_helper.exe 232 msedge.exe 232 msedge.exe 2668 msedge.exe 2668 msedge.exe 480 msedge.exe 480 msedge.exe 480 msedge.exe 480 msedge.exe 4720 msedge.exe 4720 msedge.exe 4424 Floxif.exe 4424 Floxif.exe 2568 Gnil.exe 2568 Gnil.exe 2568 Gnil.exe 2568 Gnil.exe 2568 Gnil.exe 2568 Gnil.exe 5008 spoclsv.exe 5008 spoclsv.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
xpajB.exepid process 1364 xpajB.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
Processes:
msedge.exepid process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXEFloxif.exevssvc.exedescription pid process Token: 33 3648 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3648 AUDIODG.EXE Token: SeDebugPrivilege 4424 Floxif.exe Token: SeBackupPrivilege 18024 vssvc.exe Token: SeRestorePrivilege 18024 vssvc.exe Token: SeAuditPrivilege 18024 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe 2280 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
xpaj.exexpaj.exepid process 1328 xpaj.exe 1676 xpaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2280 wrote to memory of 3252 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 3252 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 744 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 2568 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 2568 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe PID 2280 wrote to memory of 4304 2280 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vgdf1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc1413cb8,0x7ffdc1413cc8,0x7ffdc1413cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4716 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3484 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,11077053325301116259,10771844439458518625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 4562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4424 -ip 44241⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"1⤵
- Drops startup file
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpajB.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Xpaj\xpaj.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\symsrv.dllFilesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-35536CDF.[coronavirus@qq.com].ncovFilesize
3.2MB
MD5c5ab6e7c9446dbb36128a1842ff46ef5
SHA13cc2a4fd0b3428472361b4d94566b1683ce1b86e
SHA256eb6740ace0da18ce60ba02b89dd3a037d5fa8516047c88b38a552ea61cf7a97d
SHA512e0d275d55e75e76e0be318ecf1c4ccb6b075a6b3854815c2bcbfae5b2768e8a567eb74e9bf0ec3f4b2deccc423d8fed97cc47d39a63118cac894f4341d7eb61a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d459a8c16562fb3f4b1d7cadaca620aa
SHA17810bf83e8c362e0c69298e8c16964ed48a90d3a
SHA256fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a
SHA51235cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5656bb397c72d15efa159441f116440a6
SHA15b57747d6fdd99160af6d3e580114dbbd351921f
SHA256770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab
SHA5125923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\30de8dfa-3e4e-4bfb-9f2f-46268966d90d.tmpFilesize
5KB
MD59612d5005d3feb3f69a27d7997f45d23
SHA16f7ed33bbfacd5ce590af784e05c1e68d13ef85d
SHA256311a0b09d958a12f7a63643ad10e31d048de72753145b68e3e1d2afdb359a96c
SHA51240a61d1432558010324a8e50a49ebfbe12b1b78e81965a9ce68479912e0fff115a25959b953f3a827825bb8cb4aedf2cd5e9300f1c725554a089cc9eeb9c2d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
67KB
MD5d2d55f8057f8b03c94a81f3839b348b9
SHA137c399584539734ff679e3c66309498c8b2dd4d9
SHA2566e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA5127bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
36KB
MD5dfa06a2cf726c1772e54d6f0e7b57fe8
SHA16c843917d374a2f5f4fbc2e3cb620737c56f864f
SHA256a99b0f8a4e209bf564f0570d79edc20f08244edae0a50da214ff32afc56d89fc
SHA512046af2d7537f6985db4c55368d5d0865713dd955ef094ff3743b0899e8699edc17029c29bd15fdabe4f1258fd1e502372f0073bd2ed0e8d5060e384c0a397e2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.1MB
MD5d404b61450122b2ad393c3ece0597317
SHA1d18809185baef8ec6bbbaca300a2fdb4b76a1f56
SHA25603551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb
SHA512cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
74KB
MD5bc9faa8bb6aae687766b2db2e055a494
SHA134b2395d1b6908afcd60f92cdd8e7153939191e4
SHA2564a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
32KB
MD5bbc7e5859c0d0757b3b1b15e1b11929d
SHA159df2c56b3c79ac1de9b400ddf3c5a693fa76c2d
SHA256851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2
SHA512f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
217KB
MD5876a8491f9caeebd660bdd7c9522ea70
SHA17acaf6272f9e65ba0b691047184e16d89de10baf
SHA256e08a8ae9e345c9cb60b7d0d12e47dae88fa3363d9ed44105bd2dd20096d174e9
SHA5123f2d1297c007ccfd2d81c5b06798d59d4c5a3c6d7ddd69fb846c1a64dfbcf6ec623e62442f74c9e0b8388544154e60590b33381abec1ce26a231dae4c9c8795e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001aFilesize
47KB
MD5045937268a2acced894a9996af39f816
SHA1dfbdbd744565fdc5722a2e5a96a55c881b659ed4
SHA256cc05f08525e5eaf762d1c1c66bef78dec5f3517cf6f7e86e89368c6d4a1ef0cf
SHA51271a025a421384ed1e88d0c5ffadc6450a9e1efd827fe929f5ef447d2901cd87572fccf13dfa8b2706c9fab8160163e3a0c80bfe1ab49d63ffbbcb0e4e591a84f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD55580a15bcf9f9d471a6882f287fdeab9
SHA15e6397fd205af2dcd23cfc35be87b8851c077bbd
SHA256d14196cb1a7d18dee2a031e0631e0ccce132737874cf1494aaa2499c0d7a0cb5
SHA5126d79d51a1dc03b8f5050f71584758805d20edccd43bead4467d371bf37105a16168307f128c941061b00c28c463c715b7ffcce365a74dbe15718331d987ce800
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5126130f5ed25100b459ecc6f7856bb82
SHA1ae73bf97b25789a1c2e44d6b08d0d1272b566080
SHA256351308eafab8632fe4fc1fdc6ed518967e6ff1dd3d1783f04140e7b7963f8e8e
SHA51246bef4797d08a60587129cb43818de6a1ce3e839ff364e50584edbd42b5820c828c576f23b918f48191f2a5aa23923d65d85b1dcdf352aabf735a3c31bb10eab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD52de438ade86049d259c69a25b0fa2989
SHA18c712dba901d055ab9be06353401df0d89108238
SHA2564e357da701daf51a35834cecbf650305601226af0f6067dc13bf494ad7e2dbb1
SHA51244765d5aa7f96e8630e0326bf97af861affb4991509cc2935d7b87b51a0173dfcdc2d08d45fc4495830c8d3f06831b735ac925e21b7c14504bcc8bef1c415b2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
5KB
MD53999b27940d094bf8db5b6c42425bfa4
SHA1063f641a183245871fdb160639a3d3480a83da5e
SHA256466bd5b21e7f34bc9d7d31bad750320fcf0d6fb30b579d63c736997efb791a66
SHA512b32e9a8f3fda8682c0606c96f63b9ef0f1650ae1a252f8ee331c445fb1d3686643d944b44e1fe69230ae9ebdf5c411d30da39ea0949096ea5965a723bf5f4a54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD585f33ee22d1e5d5ac3a3f2cf1c349af6
SHA12e02abcf5cb3378ba837a15c230e19af7233ac1f
SHA2569535df1daf40fd674ff5e07085ba46eb27cac011f02a1a25f073debdbc184ef3
SHA512159f6b5f2429b79be5058abdee64bc349b0fb20beb86a8ddd2676995c9d7ada1a77dd5569babaf2a6e2154802c64cd4731aa5cb0c032f06ba48327523efa513d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
5KB
MD53fb6521b710efd263627efcb7058a7cf
SHA1bc8a0c59ca3d17a4e6e6fe5bfb01b950785dca22
SHA2568ff7cdf7b4db22b5855f79c82aa38cbce3ffbe08c1f7258adcba859e8ed45d51
SHA5123d35ce22da733a691187af8b68e99cfb958e0709f4a3e136f3b341a34af8e4e663722d11aeac2721436738bf38ebd8b7c3ab29cdf81f2d4260b69c4baeaebd16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
5KB
MD58f3082bf298da5b98c42deb8ecdc6c31
SHA17f9e973c1fc2e39c3cc554bf09c81f1b0d24ded1
SHA25605f63b8f337c85efa5987a7c84e0da894af856e185653e997d2c013bc69b2e02
SHA512af87418d434b0eec14de2f780afe807d8630c25a5f962f4302f14607a5636d74834bbdc71369edb8f7230f91a3938fac68b1b699918c6e892e6a269266c22871
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50562162f738165c4acba49640473787b
SHA1e69f3310a3d0813171c653ade1b5d015c72fd1dc
SHA256da0b117eea1423f8c6c3c29a9d35ca61e78349bd1f20f32d8dcb2a1d821b4c24
SHA512f25629dedd813221798b5a5aa2c5e703943455d2d6007a817665e86d1538b3b89c5d364851ad5b9847f795a07baa1634bbcec06f8ddb825a3af2ff5ee92988a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5258d396eaf3e8dd47e9a0a890f3d77c4
SHA12b25350918330ac987ae5217b1dda322e14f5f99
SHA256a1ae50d2cb393f5dd692c60fc58cf50e2c09942a65629cf98cc0a82c634c358d
SHA512d8547777b109c6e209f50ee40716c83520f0bd0d275f36143b5c6486a205b47daff52596c3c0252c209c8328c3953246dccb727e0457f9ec096c14763409d191
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5197589147cbd330df1b2ca0409cb55f1
SHA188e00cb48d3467368979412d73eeb695f0e19ef4
SHA256db24d024a82a11469841f5cd03c84b0eff740b4bf225d442fa4aaa6892bc7f23
SHA5124f5be16d5522794742a3de371ad29b6cffc92162d066b30b24aaff824a3be9295cbb3186a4b8fb2cc7932c1c6c7f9552e0dd1e43857f3685f9aec7ab9179b2f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD54a792f2e96b9d0e035aa1f23f77f9537
SHA1694baf66fb689a89ae1070780c9133e6436b1ced
SHA256204a0b0ef227614dc8ef5e8de6c3ff60a78710a783f890362f980203ba1c3b27
SHA51277c4e4adbff35557977c4540385f79bdbba8adb642d68c01e72bd4b7caadebb1b3534f15661c65d6f9733b3ffcf255dfc1a405087c7696c327b2e51e15c1f360
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD53c304731916585b22d6f13896c9cb25e
SHA17620ecd71f9715617fbbb53c8a22e2a11426e64f
SHA256f4dc501ad32be69d9bfe420a44aa07a627790e96f612b0102f61bb63bcd28fd4
SHA512255911c472cc5f6bc4805ea9e5f8dc5e4cef10e6ee37cdbea1746fa339b9f45b01a44599f48cad299924ba1da091e57ef23b52357f96ee20ac491934cdedc38d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD580b1fbd16e55ca7b33f2e986b04f241c
SHA1c2ce1d162fa0f93e3c950599329e12871c80679a
SHA25621f133861bcd319bb689f60ca7400b1e02b1d4550e58dca99a78476462a0b660
SHA512b9432e34d6118cc9ed8c201ed72c8a2a5c90aa57b43d3c3489796fd29810f12c3373e42a6682335d5d9adf6ecb9159fa3e15587007cf64dedc6064f3a1162c7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD561c617e4375395d8489c38476977aa54
SHA1f8f1bde75902549b9b7198c088ec29c8701e8e85
SHA25690b841cc1b1c6a08c224a27840f4e5665f47c5d2268d88582921855d665ae6ad
SHA512955a2e7d3f3866fac3ae8ee336ee1a8399bc04450b73a551464a98d9780b311009510d086fd842444f765a802b7a3c6f52f7148ec24b3d020ca837bda572e108
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0130e415-6f1c-4a09-ba23-309cbf19b1be\indexFilesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1afde0c1-ac92-4e75-994f-f9e9445bd8dd\242e9d7581788207_0Filesize
2KB
MD5ffba712ad04684b9ce4974f0482f84ce
SHA1f43de4134f77851bd5be0cdef004de4dca13e394
SHA256fe108e41d60faf52e3816fe0aeb1e9d16bac9acb1434120a1cde3ba942761b11
SHA512e5b7432f318754c1ef6e681ee2da9f51f7bcbf47b9ef7215f90def08e27e5d51333531c2b0b1bc737e28873e7c656cc85b91ccee22460ea8a280ed4658303021
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1afde0c1-ac92-4e75-994f-f9e9445bd8dd\index-dir\the-real-indexFilesize
624B
MD50855a11d707b3708ef3dd6084e0a566a
SHA1c6b4712edd27b0b2cf38a42734a253f593f47b35
SHA2562c61f948b0c0d9630471bdc720e7422784a9044ee5ce53dccb3738847ba16e48
SHA512897c9d600f0738482c402eb893f97efba5d5d6751c937af5ba72639e960bcc1dd521f237b202dc1f3680ed104480b648e9a1e9901805a5289393802e05b7eb92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1afde0c1-ac92-4e75-994f-f9e9445bd8dd\index-dir\the-real-index~RFe582c3b.TMPFilesize
48B
MD5e1d2aee1b8e443fcf0e120e3db840c0e
SHA15b21d6d7cdfee27fbab76b10d708697af2424dd7
SHA2569651922106ca2e2f5056db841de54e4dd2a2b01ac66a5d7186884f1c1ed93386
SHA512510e6c5b1cb2b27074e8d1422b801d0b3cc3ae3bd18b40a71dd13c376d485975b2b2fcba1b9a7a22daa754a0a1342545d6d8f2266f96d8b6073884957a0fd9ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c13d449e-bea6-48ee-a560-92893c00157b\index-dir\the-real-indexFilesize
2KB
MD5a31f321995cb960199e2bd9b2e00426a
SHA143bb208f17e69a9961db7b49dcf67786cd99b286
SHA2560930ef52c9aa0b12f222812a56d0214113dd441f0f5f85fd5c17da504fb23808
SHA5120b471e2c301bac8df2441db4fa0dd41f329efbad5b540d612ce7352ac712c2f757abc240d7f7a1576d03fd5a57d10952ba0775b8ed9343166032aa880a151a69
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c13d449e-bea6-48ee-a560-92893c00157b\index-dir\the-real-indexFilesize
2KB
MD59373641b6468be79a80cd0e6c2157078
SHA15b5f91e889fffe77bc7572c82078dd60a3c83f11
SHA2562ea87f54f49351d8b1cfc04ab2048776186813d1e646fd17ad35b871266b3a49
SHA512182d9666d81d11c00d2e54828cd42a08b097f23e6f582a0625ff3e3d778b3b21ae04cebd18295669786c3f2e07a5861b0b8173cc66d8245ec8e53bcc11e795bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c13d449e-bea6-48ee-a560-92893c00157b\index-dir\the-real-index~RFe57d590.TMPFilesize
48B
MD52bc04d0e14f859855880864d0b46d772
SHA16524fed71ce0157cfcef1e298c838ab9a1a44d30
SHA25683d2d6b742c3b7953a5b0edaf691077304013cce39d435cd2b46708c29e66e4d
SHA5128ecfcf4fc47a95feb3883b5d05aa5ea6a955f5a06c2bf3c58b571e7ea6d7afe9ee4c945eee69404762d6539d9b27f562afcda21bed681f842f25223eae2856e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5c18a434f8b3f24863411b4d7d63d8a30
SHA11024d355ecf30b22048559c72718186045eaf6ff
SHA256aa90a92084dd0e160fbfd177cc2a2f87acf17618c92d5083a09d8fa32a973e4d
SHA51284f7fa953506f683f6e2bae4f6c62512387c400d37da4d7ac26c3f310d018cdae8b9445a8dbd16f1cf2666240467a4791cf5ba9803487b9f8e3e3b31ca5fc888
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5f4ce43ca3ff0a361eb18f2af72e0e010
SHA12bec830561004829816ccf6c6d5b9b380c02a493
SHA25656afb13ef50240cf227311d2454860bb453602d47b9caf45bcf213456676302f
SHA512ae6b4c16a6dfcbfeb70d1a52e0763038e9c0acf4fb43da3867da0a0c488347b378c00ee8378f3389b4fdd944440b16c720fa528ee024f92a54e68db406f7a3b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
148B
MD59f685b18245572b8b67b0941f6dc141b
SHA1b5bf60a491ed7c27aaa65110975ab2dcd1d3e6d8
SHA256a6dd695e89bd5432acd03acfa134664270c8968ac04b53276aa5722cd8cee26e
SHA512990f1350819fc595d86855036f7f1dcc104f4f65dd80b605cad81ff8153bf9957acf077d3f317718f32f0af3c6d6df83acec199d78f914f3b5e731b0b25d70ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
157B
MD5a6b88c1373e03c521444d4dcf35010dc
SHA197e533e35baba1d91cbfab625d429b2b7813a313
SHA256f259ff4d7338a4f6c0de4004e5d15e493787aef3ac109b700a8f06e95400183b
SHA5127d1230683988d4deea7a0f5f5bca82e20f1ff1a0b07a1a0e42aef9d4cbf459b1fe1df707d62d97cc1ac4566a5ec4d03801b5a2664ed78dc54010b1e66712e673
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD50414607a69aa15ab955dd00a35337d7b
SHA187a01a53a8de422dc65866187890d953964511b8
SHA256333d691f3c5a97555756edf05a7098e145ceba06aaa4d39e3e2f2cd2e1032fe5
SHA51270942f01e14a4d48383e304d88ded4558c57c748c8ad405acc4d4c3702f71fe7f1b4dfddb98dc435f66c246e07cbe2f6d3ef77d6a211bc02e09acb44eed70451
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
84B
MD532bb173f186994561b43edb5973622a1
SHA1ba86bf80e542ff9cba04ed4975cb331b466978c5
SHA2569af86df7599c9992144bbce781f470c94c732b6b5edf5611600c6daa8e436baa
SHA512903bd06d209aebebdf58786d6ff229f415558d8ad0ccb0b4ea0bb29692597b0a4673263c2beab6285fe43f6fe9b6447dcd5dc36e2b859a8785d89f89ede8493b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
153B
MD5cb7920f8456a9bc4c8296700e599f4db
SHA1eb6e0b9b4f6652d252365830c354d2219070a299
SHA256efdba4a32d79cda637459f70264c81888de9ba2bed352fde7057c49b6ac75a4f
SHA512685ab580a31178cb33c43a8ba2ddc705691eea6e0b151c2ab60a398d9f3e17fd0bf22a9b1cdbcd7841e005335d3aab471dd2b703a7f4ac0bb5259251c6af4f7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0Filesize
16KB
MD5e43bed14e9b5990688f5620d1b337863
SHA1938735e3819da4ddf302ab304c59a27c899c2830
SHA2569c669b119106cea57fe25fd33413e41b8c3c8a581698e7871cad3411b11ebedb
SHA51206b621556010e1a75d1303cfedea5ab7560738892c1cdb05f44a3cc4e5057ab4cac763bd6fbb466edd49e3c8a826d45f6a88c5c3a2ae683efa5e3c7d65e3be1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0Filesize
161KB
MD5222c41a5633bfcf9a7075935abb5a5e3
SHA1e7dbebdd77268771ce29a2bc795c48b49e9eb580
SHA256cf710cb10f53f5b64914a8ceed2333da509a23cd8b561aaeb3b1a5a5ca26bf01
SHA512a9b82d07b85fc6ebe9e81f074c32e49dbadaeb8c473a019fd0e5c218bc07b3ff063b4e569f4250685e04450ce99a1165481c5966a7027f821bb1cef3f5a20ecd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
96B
MD5fc6e0202c0ead5d5a818730c0991edaa
SHA1ffcb50f78bb32b1dac3594ba16fc9440cd2e4bed
SHA2566c5889742fd655990ed7426fe92f77f1d0d000d58d52952c406b8a62ac519721
SHA5125a946174027291fcb0675d540be322f1f73405185d92230162a3c669e10feeec59d1e5ccc195ff54126265b7db1f85c06376bed750d1c9d29a4b4e4e6db5a6e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5826ec.TMPFilesize
48B
MD56032baffa16b7ef03d8c7b089e143fa9
SHA1b82ee2c0e25074e18f88bf561ba596aba6032fbf
SHA256e10e8c1e342b1bf568f605606659e6b0bad84dbac79ae7b908e2a7d58ea4f5e4
SHA512d1d8f1d6770feea4c325329014dbd9af507dd37ea7b01f8ec1cf3fa40b3671cae2e1bcd482d1fed24c2a5569e10d04016e01beaa3895eca2665865bf9ea22ab1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f6c9cb9808cd530acc7bca5a607a21e3
SHA101ec9fb4f95aa390fb80d258b5c59b03ab64a067
SHA256bf7d31d36508a8288a844531515ac583e1775698bb27846bb03e96a5953e14e0
SHA51217c3bcc534289976016c2058ef1feb1776c02803f2340a7db12224f853e1a395605d9dadc3feea55146821d64e7840132de1c732b77cf0de981096928cfbf0dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5e70533956d19b1f72c73c4663034d275
SHA10ad49666fdfb9092fda68223199e237c8b4d74a4
SHA256426fbc7650d14a718bbadf501dfb57af49d30e253919e973348d55290cc71b77
SHA51250ee88e4b71f0ab0c2bb2612f9e183ccc9cdfd0a529704f64c4704f552991deeafa15ea66377f14b40baa4f06ec10f98b2a11c77357ac801ba80c6a23dabb41d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD577a8d85c516f1cd0685f057c6f7838bd
SHA1af7978e8cba4a113325ff78e92a0bcb22885af0f
SHA2567a13d597ed64b874390b5fba2b92fe369ecd78313b2b7730140e762d2dfed572
SHA512fea6d1860600f9ab55550316d28a5e3c8c4f3fc3290c6c109f85bc4c4a3d81f9d93b3f77249cf9aa296e1971efb7576c12b15a100c1511a1bc3d55b22627a247
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c13b72f77b7dbc9a12b44ce1a1b54b65
SHA166c536a4445e4cecd63f4490bea61cf058a9d5ca
SHA256dc119ee1efc6509c92c385f7d70c4a29f60603d915f3c5e61e07435d9ae6d27d
SHA51209a95c64a2c53b9d6b442c22f358d57332b1814add3a2535c29312de1080435f043d5af8b4d4ac9097a21946f8d43a5569b1f0c40a86caee2153b99d458bbc0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD58fe549a48adc4eb619c9d443fc16f60f
SHA1cc20d1301d3960728e6c96428f4d3235ddc15e15
SHA2567f0fbd26e105edc82780f6c93a94305a729fe2e426311b37669dc3c3411b88c9
SHA5123f19ff656866a18a60974840064fb5d746f6d467a3ca40d0bfe3a88a452754506da70372c2ac99df8e33110ddda15fbc117cb57fc39e56ba057f8a69619a09ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e4c2.TMPFilesize
538B
MD5db7f681b0315e3b87220e09b2efeb14b
SHA191fcae3229bf0e060555d5e8d689e0036c14849b
SHA256bd5bd5e0495debc95c4e44a63a465530ea122fee60543f6f20a1b20aaf9f815d
SHA51227d71a6406e44a1e78ea998d82a954f0efade892808c08126a42467142def70d646c90b8aca4ae95b944d79ef2a23e36f8e759261f6f28830ec68b5f4a047c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fff4eebdb7ad0154675d5021d9410fb6
SHA1dd8bc5b0889a6bb428e7e395e7f7a89b9072d421
SHA256148ce7789c1cdc4d89360f766bd9f02211b227c031a8022d00ece72982c27023
SHA512ff6b2ca2d702f344295cacfd184ea2386c86e7873b15c4fa7e043fae94d9c03675ecd055db088d67047b3ff2f766243d5a0845fc89855830d5ceeabf86ab92c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54d5bb1cefc8b55d20f9ea30715516eed
SHA19a67ba9c3aa78cb42a47228b02d783a1e0840174
SHA25625468d1e32e503f6ebea6d761c6b32088ee801c56f19139d2374e2cc1cd40e5a
SHA51244b463b675cb8d3ebcb9a5ec7ee21c5693ea8b8db484c458f41f311f0758c68e62b1f27895816786d6b76efcb749d22fea835ee93ec1786ba8df1b08f15b64a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD542fa4879aa45cab0e73ee4cd2328f4b6
SHA16f49f4f137d3e214df0805bd7f323c56b322e0e9
SHA25674f8178c114f4e757e727661f0425eda77e437e452353addf6586a060cf44e3b
SHA512942533743e215601974ba6d9c9e443dabcfcbdb12f368f6116f1c1e5e63ca0934e176bb329494b2a23e0bc6b4244eb12e95f1e5d70114753cdae494635656e12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59938175f246fc25715637e44a5e885a9
SHA138b730be08e2c467dfa465c13060384a8a9e318c
SHA256d9ee05645a5a1d6a722bd1e10da0b0b33b5d06fcc1ebb3c07b7d194e8f1b1cbb
SHA512f9b66ed6d0fe430834001beb5c77abf0b1b09667a1e16233f5d39b0638680c807bd54ffa9f00a9a6834eba8c3c523182a507e425f577a82f48da0b08057fe8ff
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zipFilesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Windows\SysWOW64\drivers\spoclsv.exeFilesize
73KB
MD537e887b7a048ddb9013c8d2a26d5b740
SHA1713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA25624c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA51299f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af
-
\??\pipe\LOCAL\crashpad_2280_SIZFEANDFXKWBVHAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1328-1741-0x0000000002230000-0x0000000002266000-memory.dmpFilesize
216KB
-
memory/1328-1738-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1328-1752-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1328-1755-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/1328-1759-0x0000000002230000-0x0000000002266000-memory.dmpFilesize
216KB
-
memory/1328-1740-0x0000000002230000-0x0000000002266000-memory.dmpFilesize
216KB
-
memory/1328-1739-0x0000000000620000-0x0000000000622000-memory.dmpFilesize
8KB
-
memory/1364-1745-0x00000000007F0000-0x00000000007F5000-memory.dmpFilesize
20KB
-
memory/1364-1747-0x00000000007F0000-0x00000000007F5000-memory.dmpFilesize
20KB
-
memory/1364-1757-0x00000000007B0000-0x00000000007D4000-memory.dmpFilesize
144KB
-
memory/1364-1751-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/1364-1758-0x00000000007F0000-0x00000000007F5000-memory.dmpFilesize
20KB
-
memory/1364-1750-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/1364-1742-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/1364-1743-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/1364-1744-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/1364-1748-0x00000000007B0000-0x00000000007D4000-memory.dmpFilesize
144KB
-
memory/1364-1746-0x00000000007B0000-0x00000000007D4000-memory.dmpFilesize
144KB
-
memory/1676-1761-0x0000000002200000-0x0000000002236000-memory.dmpFilesize
216KB
-
memory/1676-1756-0x0000000002200000-0x0000000002236000-memory.dmpFilesize
216KB
-
memory/1676-1753-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/2568-1726-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2568-1736-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2568-1727-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/2816-1765-0x0000000000770000-0x00000000007DE000-memory.dmpFilesize
440KB
-
memory/2816-1769-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/2816-1781-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/2816-1780-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/2816-1779-0x0000000073F40000-0x00000000746F1000-memory.dmpFilesize
7.7MB
-
memory/2816-1776-0x0000000005410000-0x0000000005420000-memory.dmpFilesize
64KB
-
memory/2816-1770-0x0000000005320000-0x000000000532A000-memory.dmpFilesize
40KB
-
memory/2816-1767-0x0000000005910000-0x0000000005EB6000-memory.dmpFilesize
5.6MB
-
memory/2816-1766-0x0000000073F40000-0x00000000746F1000-memory.dmpFilesize
7.7MB
-
memory/2816-1768-0x0000000005270000-0x0000000005302000-memory.dmpFilesize
584KB
-
memory/3040-1783-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3040-1785-0x000000000A6A0000-0x000000000A6D4000-memory.dmpFilesize
208KB
-
memory/3040-1786-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3040-26536-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3040-26543-0x000000000A6A0000-0x000000000A6D4000-memory.dmpFilesize
208KB
-
memory/3984-1737-0x0000000001000000-0x0000000001026000-memory.dmpFilesize
152KB
-
memory/4424-1724-0x0000000000AF0000-0x0000000000B65000-memory.dmpFilesize
468KB
-
memory/4424-1725-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/4424-1722-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/5008-1733-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/5008-1735-0x0000000002010000-0x0000000002110000-memory.dmpFilesize
1024KB
-
memory/5008-1734-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB