Analysis

  • max time kernel
    112s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 07:35

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe

Malware Config

Signatures

  • Chimera 64 IoCs

    Ransomware which infects local and network files, often distributed via Dropbox links.

  • Chimera Ransomware Loader DLL 1 IoCs

    Drops/unpacks executable file which resembles Chimera's Loader.dll.

  • Renames multiple (3242) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 27 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/MadMan.exe
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ec546f8,0x7ffc4ec54708,0x7ffc4ec54718
      2⤵
        PID:4728
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        2⤵
          PID:4980
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4500
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
          2⤵
            PID:4736
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
            2⤵
              PID:4600
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
              2⤵
                PID:3104
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
                2⤵
                  PID:428
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2876
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                  2⤵
                    PID:2100
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
                    2⤵
                      PID:4316
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                      2⤵
                        PID:3488
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                        2⤵
                          PID:4064
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:8
                          2⤵
                            PID:3516
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
                            2⤵
                              PID:1512
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:8
                              2⤵
                                PID:4316
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
                                2⤵
                                  PID:2816
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1792 /prefetch:8
                                  2⤵
                                    PID:3340
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:8
                                    2⤵
                                      PID:2228
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,7134035049684678724,4581287405519317850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6492 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1060
                                    • C:\Users\Admin\Downloads\HawkEye (1).exe
                                      "C:\Users\Admin\Downloads\HawkEye (1).exe"
                                      2⤵
                                      • Chimera
                                      • Executes dropped EXE
                                      • Drops desktop.ini file(s)
                                      • Drops file in Program Files directory
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3428
                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                        "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
                                        3⤵
                                        • Modifies Internet Explorer settings
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SetWindowsHookEx
                                        PID:392
                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:2
                                          4⤵
                                          • Modifies Internet Explorer settings
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1988
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:1848
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1336
                                      • C:\Windows\System32\rundll32.exe
                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                        1⤵
                                          PID:2880
                                        • C:\Users\Admin\Downloads\HawkEye (1).exe
                                          "C:\Users\Admin\Downloads\HawkEye (1).exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4992
                                        • C:\Users\Admin\Downloads\HawkEye (1).exe
                                          "C:\Users\Admin\Downloads\HawkEye (1).exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4520
                                        • C:\Users\Admin\Downloads\HawkEye (1).exe
                                          "C:\Users\Admin\Downloads\HawkEye (1).exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4904

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

                                          Filesize

                                          4KB

                                          MD5

                                          bb83524d0261a715c176def3fa5e7712

                                          SHA1

                                          4eb6990d74067a813c49b29ea70755bd5b837378

                                          SHA256

                                          70df37a98059ede787addbd410145e6f8046b3cb475109d91a723975845b9a50

                                          SHA512

                                          f768437ee7aff5553a958b9ad1f6da0bea215fafd3786c7fcc8d3c907ebf94251eddefc8d0de92e3f46c6681bfbd996cffa7d2d0785bd68ec745ed55675a4980

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HawkEye (1).exe.log

                                          Filesize

                                          20B

                                          MD5

                                          b3ac9d09e3a47d5fd00c37e075a70ecb

                                          SHA1

                                          ad14e6d0e07b00bd10d77a06d68841b20675680b

                                          SHA256

                                          7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

                                          SHA512

                                          09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          56641592f6e69f5f5fb06f2319384490

                                          SHA1

                                          6a86be42e2c6d26b7830ad9f4e2627995fd91069

                                          SHA256

                                          02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

                                          SHA512

                                          c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                          Filesize

                                          152B

                                          MD5

                                          612a6c4247ef652299b376221c984213

                                          SHA1

                                          d306f3b16bde39708aa862aee372345feb559750

                                          SHA256

                                          9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

                                          SHA512

                                          34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                          Filesize

                                          1KB

                                          MD5

                                          0b7bd0a0343ad56911434c9637c6670a

                                          SHA1

                                          e999f3e410d7ee8c36037332330d5c383f221182

                                          SHA256

                                          22348e0eb750221bc89a958b5b595612d36a31b07688f190fc013ab72865fbc1

                                          SHA512

                                          ff4bc855ec0c16d228f353d397243c8cedb0d4bc90052e246031c3ab9536121acb48bd03e3a0695673f99f03795fd118f16e46ada31cd25de727f6afcf34d3f6

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                          Filesize

                                          579B

                                          MD5

                                          65fb584b67e9d4b5954709456bc4c315

                                          SHA1

                                          6c0de0d8ad3ffd005cce777407fe7e3875ffca03

                                          SHA256

                                          5cec29dac5bffa8786cdf78db81c40b7f87e809057bc371b756405d58ac03e62

                                          SHA512

                                          96d08c027b3e75416aad7a1c614a4ed24f53c444e2df32b75ab2884116cd4a80bc44a1e823d9d64918181dce78f8548e908d8a3e1fe217a7e37deca6e2d5b4fa

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          3e7fc35b9d94c8a0013f748eef55b60a

                                          SHA1

                                          9abb9725fb1bc7086b686afc475ce21bb9943333

                                          SHA256

                                          a9dfee5babd9a09122653779eb87211ba32ef9c03fd41ee06029aa73a53abdd6

                                          SHA512

                                          8346ae61f212c9fd86959550d385ee7b7d66bea6d9e4de6725469244f5378722f6e0cc11e79891802df5d70b4c1e93ab4830e0248fcf06187d745cb44528e385

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          68e5b9e6d084187efa5772348233deb1

                                          SHA1

                                          2f9d9be022cd0e46437b20e6a4915276d76e116b

                                          SHA256

                                          67bb3afdd5d213d55416948b3df8e97341cfb4c8b243a3e15c9c738e015fe328

                                          SHA512

                                          421c01426d90c1aebe0f5d748793b2bc4f4560a3a75553b9c52fbab0d43265ef6a28d342388e7cff288f871184bf135d1e0e1ef529708b8170ab94549a4ced5a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                          Filesize

                                          6KB

                                          MD5

                                          a3b2f89716701c860b76c5735c08c363

                                          SHA1

                                          45f465a49d9d45e90e7acc8c1b1842db53b8d43b

                                          SHA256

                                          0a343b8baec7db001888ed6698b37556bf134bbf740c1f819f044e8f2ce8b677

                                          SHA512

                                          3582fa2f33e2cefc181212cb3b3df1bf48bf0b63b7f9710c33d5a9ff129edf60151651995f0c4b8336fe1c4aa364fb51ea22bcf834e473c796651dd0951d6249

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          0229dea7eff6bd798dbbae1a1655c9e0

                                          SHA1

                                          31876d564aee7ce760807bb4934ba5258258ad98

                                          SHA256

                                          4281a91f65d3e9906868f17a53aef38a6786cd7b398c086b79e5a22ef7a3690b

                                          SHA512

                                          bc1fb454f128b1a455737e61258f5f373f9e71aef51324b12a7b7809992a3e0d264ecf54e64680ffda9dcf5198a2c5fcec7662bfb4b01387ec2030c31deeeed6

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          33a22f893b988c6d0b92522535ae1fb8

                                          SHA1

                                          a2ece7a9bf978cd027b350e8fddce8d2818da7ea

                                          SHA256

                                          eb8382b2994064699931e8c041cc5103d27935812254a76530341762bc58a9e3

                                          SHA512

                                          5ecef0e59d8ec9eee34dc3d35797920de0aa933afa8752d8ed85576993c7d95b6363fc412c0764213e24ce8fa7f8951794bc92fef30250c35a5a5137dccc81d0

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          9ff3efe6f596550be94038e3d4d622b6

                                          SHA1

                                          ff9f99815f983fe770ced4e9be33351ec53da7a9

                                          SHA256

                                          a517d14e26d54338b48fb64e11ec226793d548d74e739aa85d6e1eb7cc89d71d

                                          SHA512

                                          fc222258facfc2be509e216b04846a9b14929585ac48320be1899e63127f154564e0fa65d60d57aa94ba07ff761c67adb1bc3cfe97e9e5c82eff5b6d55fd2491

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          b7036449e2d9d7698abf229c5d3fb709

                                          SHA1

                                          037179a25aff1548aba0e582493833220bffe91e

                                          SHA256

                                          bbc1cc8dac274fcc2033e9312be7a3e1b4132097bee9cf31b5613b6a7fccb571

                                          SHA512

                                          e593539de2b81c5063e3397808b872c62816d108da062f50c6ff5c17fec39e746d809d96677a793c0023d268bd307b43ea299a283d785624127f730fa0243b95

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                          Filesize

                                          1KB

                                          MD5

                                          d3be05ec97149f9641db4e93898c7f8d

                                          SHA1

                                          26c6ab8c95d6591b38c9c68832bc03b49ec9ecde

                                          SHA256

                                          dca423e3c070b33e7ca4083e25e940d417efcbd9525dc0f8b2731b8e833802ea

                                          SHA512

                                          151bdc50a3f4872ff5730593f919308f9b40fe396ddb25d6460f7400c92ee3f12d99c251dcdf72c761df7248bae0459ff3383a5c398202cbdfc0930c66631fc8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579069.TMP

                                          Filesize

                                          874B

                                          MD5

                                          34a59382b87635219e3e4c4556fbabe5

                                          SHA1

                                          1a0c94af9cc15ef5cf08699d018b03310d9d2b30

                                          SHA256

                                          aae54d3845e660699f6cfbf65648c4e4ae40adf0d5fbe8a4bf64c16c2e35598e

                                          SHA512

                                          457df783f706f018daa6afa6f126a4a73c42784577df6e9999dc1126bdd5f8c21feb44c8418511d5a32830d5e5d4cc288029567dccb0b3bba5b84dfbe3654ff8

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          46295cac801e5d4857d09837238a6394

                                          SHA1

                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                          SHA256

                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                          SHA512

                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                          Filesize

                                          16B

                                          MD5

                                          206702161f94c5cd39fadd03f4014d98

                                          SHA1

                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                          SHA256

                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                          SHA512

                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          12KB

                                          MD5

                                          9eac28f6f5804781699057e96855e105

                                          SHA1

                                          70332524aa6fa38f722f4a2e641c3c9638cdccf7

                                          SHA256

                                          573ec52e040cd5ca5f7eab2029a89e2afb6a02ffd1bf6b8b44530b2e0c6d4bf5

                                          SHA512

                                          fa4d36e79aea110d7d6aab1515a978f140c166021f088c02bff6d06a089ffc250ffd266545cb819a00f41710d84a35e2dbd45c247fdb4b6322311d6978e2c006

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          11KB

                                          MD5

                                          751f554adbd9557e7b409085fe138b09

                                          SHA1

                                          4d83fdda381a8309d0d357b332693d9e533da80a

                                          SHA256

                                          f74daada21ab0f855820ad5cd219d291d9172cb9abf7f08f1accdb2bc6a7d84d

                                          SHA512

                                          13376ce692b40a67640764504933a8ec64bcabf33ed60cc0d7ff6b355857ffa0a0ec67e63be35d4c6fee695c6c9a482c6ab956eaad82ff6417aaa761601f81e5

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                          Filesize

                                          12KB

                                          MD5

                                          52fa57b777e16669a33791b6b443cffb

                                          SHA1

                                          eb61c5f7953046d96a5a18404ed83dbeacb8f986

                                          SHA256

                                          181e4df4d77687fea759bf88c6c6165e4ca294f5ea140063dfe4d30c5eedf76b

                                          SHA512

                                          f6ae5db4c267a1d6e5955676e61b4f21b1a931ba945e39fd3e8654fa78be99da55fa4261e5ce5d0e83d17814017bc94a639b3796df94d78fc9be6584b999c205

                                        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\m4t5s7d\imagestore.dat

                                          Filesize

                                          6KB

                                          MD5

                                          33595bd6c8b5e7d9e0c823986b23d07a

                                          SHA1

                                          c1798bb9e81574fa5299631fa21e7158474fd5fa

                                          SHA256

                                          d2d5e56f39c8de8a57e36f480086f7ac584aab5c42cc70444f1dee02f77512ba

                                          SHA512

                                          4830a1aec72a0753be38800e2bf285014abe655149fc6eb42080cb68d051c4b020e3ca6eeed90b6b4d1e4a15ada02813b79ddd70322012df218b60945efe26e9

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3YK18YAR\favicon[1].ico

                                          Filesize

                                          6KB

                                          MD5

                                          72f13fa5f987ea923a68a818d38fb540

                                          SHA1

                                          f014620d35787fcfdef193c20bb383f5655b9e1e

                                          SHA256

                                          37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

                                          SHA512

                                          b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

                                        • C:\Users\Admin\Downloads\Unconfirmed 344023.crdownload

                                          Filesize

                                          2KB

                                          MD5

                                          a56d479405b23976f162f3a4a74e48aa

                                          SHA1

                                          f4f433b3f56315e1d469148bdfd835469526262f

                                          SHA256

                                          17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

                                          SHA512

                                          f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

                                        • C:\Users\Admin\Downloads\Unconfirmed 742807.crdownload

                                          Filesize

                                          232KB

                                          MD5

                                          60fabd1a2509b59831876d5e2aa71a6b

                                          SHA1

                                          8b91f3c4f721cb04cc4974fc91056f397ae78faa

                                          SHA256

                                          1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

                                          SHA512

                                          3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

                                        • memory/3428-299-0x00000000054D0000-0x00000000054EA000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/3428-294-0x0000000010000000-0x0000000010010000-memory.dmp

                                          Filesize

                                          64KB