hxxps://xmrig[.]com/download hxxps://www[.]mediafire[.]com/file/xlsut5gucby7kxn/bta3[.]bat/file

Analysis

max time kernel
1131s
max time network
1173s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
27-05-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://xmrig.com/download https://www.mediafire.com/file/xlsut5gucby7kxn/bta3.bat/file

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\xmrig-6.21.3-msvc-win64.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 411588.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\bta3.bat:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1668	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
936	msedge.exe
936	msedge.exe
4480	msedge.exe
4480	msedge.exe
4032	identity_helper.exe
4032	identity_helper.exe
4952	msedge.exe
4952	msedge.exe
692	msedge.exe
692	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1168	xmrig.exe
Token: SeLockMemoryPrivilege	1168	xmrig.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
1168	xmrig.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe
936	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 3056	936	msedge.exe	78
PID 936 wrote to memory of 3056	936	msedge.exe	78
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4400	936	msedge.exe	79
PID 936 wrote to memory of 4384	936	msedge.exe	80
PID 936 wrote to memory of 4384	936	msedge.exe	80
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81
PID 936 wrote to memory of 1440	936	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://xmrig.com/download https://www.mediafire.com/file/xlsut5gucby7kxn/bta3.bat/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe4,0xdc,0x108,0xe0,0x10c,0x7fff30433cb8,0x7fff30433cc8,0x7fff30433cd8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,17653672327880950947,11176219696040960992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\bta3.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1668

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\New folder\xmrig-6.21.3\bta3.bat" "
1⤵
PID:4720
- C:\Users\Admin\Downloads\New folder\xmrig-6.21.3\xmrig.exe
  xmrig.exe -o rx.unmineable.com:3333 -a rx -k -u SHIB:0xb8f263096d82c4b0fdbf0ac13ec8eb3e61b97bc7.bta31#knzc-6rbd -p x
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1168

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de47c3995ae35661b0c60c1f1d30f0ab

SHA1
6634569b803dc681dc068de3a3794053fa68c0ca

SHA256
4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7

SHA512
852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
704d4cabea796e63d81497ab24b05379

SHA1
b4d01216a6985559bd4b6d193ed1ec0f93b15ff8

SHA256
3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26

SHA512
0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a78878950fc7319eeb74d32943f75f60

SHA1
26ea82e75e27bd89f28faa3ee09747eac09ec171

SHA256
82e935b74a4e6ae8825a1930e5ed4e0c47fd82cd0c2c9e1247a962978313325f

SHA512
3dd3c529671307506c869dbd5aee63323b0444c82451b0a7d5d131d80336b6a1bed69a5381d02ef559bf16b0b52236686fb96c283e0618a871ffb2b6036c681d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2c005527bf94ed581791011e3fed3b9a

SHA1
808f944751d1298d4544639286896c5fd19071aa

SHA256
0e4951c55c4e3acf2fb10fe5a1c48c4710b39d23d79a898b6d6f744bf63af8b2

SHA512
19040e74cb2843c3d8eca2e9101e9d1887aa979f10781fe161649e4fbee8977dfe78f11a4bde649e6695c6947a64fe41a4ab01334eae5517b3c512581534f62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4707453b8f66437b5349a8de0a86e655

SHA1
e4f7ad0a3686a42b9056fddb6ca16d0923ef7642

SHA256
9eae4de307c30b299bc460c53d8b07b830f9f7b9fedf7a8e3111602483b70259

SHA512
4763a83af3666974bbebe8d3321c21ed13444993e0415306bef24bf4ca563a687a90e82bec1eb1083e2a2b8ca064a4745b9b652e8132153fef859e16c6192eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0154d59181e9601210f10bd7ba8ea00e

SHA1
67f6f4e0ae7215740d50661c08508f7300cc3fb7

SHA256
b41c0146bbdb91822708aabd6b8a4b25d79892bcd18c41f16e56f525c5ff774c

SHA512
9cb99d88b98514fdc5e51d95bd09d86ec7f2b8d8c5a71738adcea38663b28debd69b3819110c884e6b38f51d3fd5b83502b01f91cef313ca3e69ee6433204bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b0318ab1a166c36bd192ae97b94c07c

SHA1
e84832c7bbe9158ca0349d568bfd5a8ff330591f

SHA256
2a0a0ddd351e3af6167dbbc58604b99c978aa89f94c63dbd1b9a5f2b792eb70b

SHA512
48255adf978b1e223cf6318701c552eca6590f551163aad98232f3545867ad4e99a00513d2d87ae3343e83297aae408a8bbc40ed71feb632fb6cc41a37331b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1dfdef5b890be793446635179692a0b3

SHA1
69115af2410a90626768e71956ceda76a8b421f4

SHA256
bdf99a91d58d7f354f85dfd80d55e3f0b2a0fdf454527b62c08ff2e7f9ba2d62

SHA512
c1ee7dbf9b3e36406541df75a540513a6f5fdbe646dba52b049217eab48fdfbb45f4a77f8609a6ceb47b015d3da37d24ece07c6f6db1ffcf644f298a77acb609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
761d4f3110702a6bc1f05fe1677b5efa

SHA1
ec4ef59cd779232ee59828a3a029fea13f595d1b

SHA256
ec6327917d0f562724711f79b351e00c9d4622f18f6ff5476df9c7d0eb393e74

SHA512
546facb49054992cfa83f6865dd46f229855ff7729a86e1314c4aec19957c2a23efbe627a25e60c3d2a4771cb4817a0dd09bb9a1f83a787352ce46e2129e2ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
682e95d47e48ad88a624cd9e38863567

SHA1
1ca9370e19428d5b16ce73ea444b5fd9541655f6

SHA256
ceec21f9475dc6936af620a4859fbf5eafc2238e4fbb26dcc6e899a93c12cf17

SHA512
02792fe5b038fabd94c88fabe21fe329d2e646324f073de4415502e27a3a5662b68f353412ad607479af474ed2225daff8f2dcb436d8d13eaf0175ff8e978398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579412.TMP

Filesize
371B

MD5
792988dc4feb44878e5e7da63faa8c0d

SHA1
fa5bfba0dce4426de7826fb04518749a2cd2cf0e

SHA256
271b2f7f62fc885b43b95e68f4c3a21a6b4fea33a2bd8288b2de3b5c0d78549d

SHA512
51821f60a2260a1e59926fb3aa966d4b76e34c29f66a44038f6ebf7c38b16bbc319ae4d887c072e73d0304da915dc78c478aa2583b520d708ac2694ba215ec06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4799afec7362498eca45e5262468a8bd

SHA1
8fb8ae217594f65396b71ba4fedec40c6d557097

SHA256
e16f58b50bfd59f285561522134a9318575724482724e40e0748d253cdd53472

SHA512
bde6efbc4fe5d05246300f1e9b2e3f8689ecdc122e96478f800313c02a86f82b7c534eb8884a1937b630c8cb265c2228152c440a45c17dc1bd46bdb3812dcbea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dc0d5369f901b1fbba9c5c65d73fccb1

SHA1
96375950ac505ad4b299515a0a4cbf57c0867da7

SHA256
df954bf5dafaabdace632aa1b893297db8f89936a645a9dd00f85034be2e1748

SHA512
ded7a4789694482ce7fa1744fd5406d60d60683a60cd8c7e5ea7a61e342744d5aa1bfe8749c13ee5fd33ce32c12f52359e9e0e8a18a78cd54c4c08ec3da70206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
85506184a5ec04d164ce0fed7cb262ff

SHA1
260184ae254f02a0b2b000233b39611d5edd51de

SHA256
9df80f8a6b9b5c65ab0de3f194967be39481a5903b1378fc9f3be08e61c36687

SHA512
f068ad8a2bbb105dcd6d0a6ef8028008268fe8974238971f0f33af3c137903cb3477fcafeaf9082309076f3124105e91900eb2d5e9fb22deb8570a1d51f00d3d

Download Submit
C:\Users\Admin\Downloads\New folder\xmrig-6.21.3\bta3.bat

Filesize
123B

MD5
ef8e4ef9e1b5512a91475bd40efe6b5e

SHA1
525c2fe889f453b378b0277d18dfa52a944bb136

SHA256
8dc4b7d65ad8d0f915c69baa8abc509bf5dc657d2b287ed2455d59602e26cd32

SHA512
da02da4cc74137c450773d40135657b3b42cb6b85f0f56f6f716af060716df1c7734ee3a9b205dd89077d477054c3efbee8d643c93ee42d89384d918bb34339e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 411588.crdownload

Filesize
122B

MD5
5af4cef3e70a59972886570c585a2d9b

SHA1
95d8e3bb9f379781e7387af70a8f341e19a34ef5

SHA256
39e853f1f5d24b650902a0c4a69bc8873ae237566d74bd38a331b92963750833

SHA512
451797ff79991eb7237397b7f19fe5d04a691ec2a578a7947a440d08bbed4a0627ca66894826b60f07025e9cc68df2c71322fd66f2f233fff43e0886aedaaf9f

Download Submit
C:\Users\Admin\Downloads\bta3.bat:Zone.Identifier

Filesize
310B

MD5
8c8ad70c59ad6a0bbe4b2bc01bf28cce

SHA1
b7a7068d648ea8c054bcb609edbac666d0beafa0

SHA256
ce9c7939e81dcf0d77ab71ad2b4bbe99f999e00e52c37e538319ce3ca30ea504

SHA512
add4e963c8fbd39254315630458ca0e9bdfba04a3301078c26c70dfbf0a975f0912a73dadd3717fbd2c228f74d42703d4671ea473479ce0c7cc7c53962dcd79c

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3-msvc-win64.zip

Filesize
2.5MB

MD5
cef0ae1ab544e40b659261a4e07fe48f

SHA1
e5ff855ce3c7726a50eb50a634ff9f406b3df093

SHA256
713263085499ae626a6148fab67932c9a69611b21ac3d04cf52a5e23495f902e

SHA512
1fb23b385e6cff3653f0b4b397d092c7be4df62899c97e18f675df2024e5f06ef2596fb626b85ae2ef7d7583c5bf54b00dba1a5ad566c2707a669a48d9814ba8

Download Submit
C:\Users\Admin\Downloads\xmrig-6.21.3-msvc-win64.zip:Zone.Identifier

Filesize
58B

MD5
979bad772ac67df98dd213a9dda044fa

SHA1
c1054654cd9955956514438138a40aa8d1a30e38

SHA256
6ab1f259b62af417a18b94241fcc1e89fdecbe2193568876f079d0754ef648af

SHA512
ef6c2b54ba4c08f4884a7599c366530223bfb0d0dde0502702678809604d6254aa4871efef55fe9d5196989a8b6d1aa572bab0750695d7def435a384a17d5f36

Download Submit
memory/1168-436-0x000002B320FF0000-0x000002B321010000-memory.dmp

Filesize
128KB

Download