dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25-09-2024 13:13

240925-qf647szgqc 3

25-09-2024 13:08

240925-qc8hvsxamn 9

25-09-2024 11:49

240925-nzgbsaxbjb 10

24-09-2024 15:55

240924-tdaj1avgjg 10

Analysis

max time kernel
731s
max time network
809s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 11:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

dharma aspackv2 credential_access defense_evasion discovery evasion execution impact persistence ransomware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (553) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

8864 NetSh.exe

pid	process
8864	NetSh.exe

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 334776.crdownload	aspack_v212_v242
C:\Users\Admin\Downloads\Unconfirmed 822753.crdownload	aspack_v212_v242

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe

Executes dropped EXE 2 IoCs

Processes:

Avoid.exeLauncher.exe

pid process

2084 Avoid.exe
3404 Launcher.exe

pid	process
2084	Avoid.exe
3404	Launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4272559161-3282441186-401869126-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
38 raw.githubusercontent.com
39 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe

flow	ioc
1	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardActions.base.js	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClientSideProviders.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\COPYRIGHT.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL.HXS.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\types\ITheme.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_no.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\psuser.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GetHelpStoreLogo.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Mu\Content	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-exit-hover.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationClient.resources.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FilterModule.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptyShare.scale-200.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Input.Manipulations.resources.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\NotepadSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\Microsoft.VisualBasic.Forms.resources.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Check.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-60_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jsdt.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\hxds.dll.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js.id-126BED6A.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 2 IoCs

Processes:

chrome.exechrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
File opened for modification C:\Windows\SystemTemp chrome.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2268 4200 WerFault.exe YouAreAnIdiot.exe
2648 4964 WerFault.exe DanaBot.exe

pid	pid_target	process	target process
2268	4200	WerFault.exe	YouAreAnIdiot.exe
2648	4964	WerFault.exe	DanaBot.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Avoid.exeLauncher.exeYouAreAnIdiot.exeDanaBot.exeWindowsUpdate.exeCoronaVirus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

22844 vssadmin.exe
20392 vssadmin.exe
8384 vssadmin.exe
8392 vssadmin.exe
8404 vssadmin.exe

pid	process
22844	vssadmin.exe
20392	vssadmin.exe
8384	vssadmin.exe
8392	vssadmin.exe
8404	vssadmin.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717391032012140"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 334776.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 822753.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exechrome.exechrome.exeWindowsUpdate.exeCoronaVirus.exe

pid	process
2740	msedge.exe
2740	msedge.exe
3360	msedge.exe
3360	msedge.exe
2416	identity_helper.exe
2416	identity_helper.exe
4264	msedge.exe
4264	msedge.exe
1964	msedge.exe
1964	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2884	msedge.exe
2884	msedge.exe
4200	msedge.exe
4200	msedge.exe
4828	chrome.exe
4828	chrome.exe
3156	chrome.exe
3156	chrome.exe
444	WindowsUpdate.exe
444	WindowsUpdate.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe
1004	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

msedge.exechrome.exechrome.exe

pid	process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	4828	chrome.exe
Token: SeCreatePagefilePrivilege	4828	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

msedge.exechrome.exechrome.exeWindowsUpdate.exe

pid	process
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
3360	msedge.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
444	WindowsUpdate.exe
444	WindowsUpdate.exe
444	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3360 wrote to memory of 1852	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 1852	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 3568	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 2740	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 2740	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe
PID 3360 wrote to memory of 924	3360	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce81f3cb8,0x7ffce81f3cc8,0x7ffce81f3cd8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6460 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Users\Admin\Downloads\Launcher.exe
  "C:\Users\Admin\Downloads\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12647105902208206014,6040321402853556929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2464

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1452
  2⤵
  - Program crash
  PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4200 -ip 4200
1⤵
PID:1656

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 300
  2⤵
  - Program crash
  PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 4964
1⤵
PID:4064

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce7cbcc40,0x7ffce7cbcc4c,0x7ffce7cbcc58
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1512 /prefetch:3
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3096,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4348,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3268,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3448,i,4048811824724799231,4903572392550442628,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:732

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1404

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:3792

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
1⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce7cbcc40,0x7ffce7cbcc4c,0x7ffce7cbcc58
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1692,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4556,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5200,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5344,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4376,i,15993173196468070570,2648201684725311137,262144 --variations-seed-version=20240924-180914.572000 --mojo-platform-channel-handle=4188 /prefetch:8
  2⤵
  PID:2256

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2520

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
1⤵
PID:2880

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\WindowsUpdate.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:444

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1004
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1228
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:10836
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:22844
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:8764
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:20588
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:20392
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:3468
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5220

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"
1⤵
PID:22240
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8404
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8392
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8384
- C:\Windows\SYSTEM32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:8864
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -t 00 -f
  2⤵
  PID:12584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5152

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\53dcc0a7e20445f3bfb4303c2dd0ea8e /t 5144 /p 3468
1⤵
PID:12656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e4855 /state1:0x41c64e6d
1⤵
PID:12620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\123.0.6312.123\icudtl.dat.id-126BED6A.[[email protected]].ncov

Filesize
11.0MB

MD5
d2cc6f96671bd9b7d89c0507bb69b4e1

SHA1
41bd3243139ed08988fbf9675e8ddffaa4068a39

SHA256
eaf683c4ea2e853d00261e46b352b53a4629a6492eafd2ba42043afb88b0c25a

SHA512
e94a919e2394ae10a51186cdfbcaf75ae7c6682d4319129df818f7441a58e55422ad19b8d92a3314704bbbd0d77c2081029843144ab941c7695ac0689bd6bcb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
bd16a469a2f384cca65c4880add00f20

SHA1
6ce5bac367836facc9df6a687f7de6f479697e5b

SHA256
1bc3ea81c6094652b7c8b0f3c09394238ce06f7ac9ebc94394fe3024bb24169f

SHA512
3091254efae254d49da2e59112d963c4fd86e70464dbcd1fcff7e61dba632f1c4a69c6270a15b33af7a5d95ae9569d0365e5072afd9463a8ccce0a3c719990ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cdf5979795a548e2e1df74b55ca4bfa9

SHA1
18bf4aa13dbbd804a5140885400fff38ae2e13eb

SHA256
c6aebfd13076c63b64c9c8b78df3f629dd6ae606c9a211d33d22b4ae32091a4c

SHA512
31a9920029de7c7374dfaf542af29f8c0e5bf7e1b7e15b3f938d923d796a7688a7bc8555cfd88375bc23a573bbd99ed3063fb5333123363dedf23d426a9ad254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
6bfb34f2c710a85a168b75942d5f530a

SHA1
8b91bc13f1eb8f4ed7073f24f9d2deb84a08aa8b

SHA256
dee6df17e269a2acb58d0d048953caa54e8aa6bab47281fe6b175ab188cd6c98

SHA512
57f8c5c05d7e0ac889036e657c4cdfd5a54637ea95d7da854ad0daf14b695fa3b84fa867e535c3f065fb62721ef73124e7db5f8e32edf8411e4dd17c2db2d92f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
b0811b62826d3de7c09d85ae9d74c94d

SHA1
c6b2413084091f04c4d50b7c002c0151d10fc06b

SHA256
79f2570287d3abba8845ab29901b304959622f682051c16c1cd51a2ad8d4db80

SHA512
549138c6b7a3a0b6eb3ddb9e24b66328d5793f4f39f2ecb6d6080b7c1891fea4cd857193e0c8ee214a9c4561b94d86c41c7058d3276d03205833446112d5e9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
38d51e328a705db6305b731efe55fa7d

SHA1
c091b40be6562be7ff44ac7bf24fbaa2a365d698

SHA256
aeec61f45b5c183dd3c999fb538b2772bc501e364834d1db2e550938d4c67eab

SHA512
184e0cfb7a0bd7ccb9ef8ac883da0f61b76a4e27234e0184e21c1dc6bcb827e98ffc46abe86fd0739f51f8a0855f3af6cfe1c2f7db259277c365cea614df3296

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
d4265ed4ea75a0660c61693ffa31cc3d

SHA1
7f419a3b12eafa85120eea0710c53d80516281ba

SHA256
e8b18862899d4df13bd276b05bd426ee34cfa1349c6250a8bca75768993d0a2b

SHA512
e87d1b1e4f23ed7ce52e0ec0edaf84465e5e8b5b36625d0672b695eae7d1ed798d370b5be491307f76aad743a48fe53bb4e127db42d5d056b5c1c63ac22a7df5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
28KB

MD5
65a15da1df63a29410432743ec6cbea2

SHA1
bdc786928fcf8921ccbcb78baec31d96a8d3a66c

SHA256
1f379ec6c9bf817b93723ef9ab368277d3eada378d7af615fe5a20033122d901

SHA512
9f6e7e98f0e6bc71a443d13ee4676e95626f143652dbf8abcdc81e9bc085e151225f7884714093bd366f96f9bdd5be63fafe2fd6c185b5c556858b792f330d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b2922556143365b3fcc6c1525e04dbd9

SHA1
295e50094a01484a1c62caa13fa668195cc367a2

SHA256
009941cde8717f65137275b5b9c1b9f8636c81d5c31c5cf9bb15763c8b31e977

SHA512
03de53bb1935506bfbb79d513006cf0fe4b35bbafa5925a233fddbd00b84a864144022b9687e2e20b7fc0fd9a5d3abb23be6e7b65d5f274492906ee13729eed2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
09668230434678e53f87911b2af3c371

SHA1
a56d3e6a7a4c556292d6b488e13f76633451a34d

SHA256
7915da8050de9ff80215bfcb101e51dad5d9abf9ed5cad0688a40c0aaaf5df77

SHA512
efb8324d344da605a03694e0d7b259dac7ae26f18da501555bd114199ed9f903ccbbc6ce002ab28faf2750851638bfd6cb3c12dc442f3797343e764a7c6c84e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
b8245c20b0f0f268c959377c02623a7a

SHA1
21ac8b622c29abfa5e0a72ed92cdd06ab5628b0f

SHA256
7acdcc5b9ba859e420e36525fa9d22bd97af11682198bd9f3d41ccaa510a5819

SHA512
c1b59f7c53879233c23325ac4c57c670cdf999a1e7538d2ef077bc9501a59c918c1b44e23b6dfabcc6a47a317be9820f72a17ef7b45354955857f8f471c5dd50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
98ae0a052d81bf9ebd7091af92e3772b

SHA1
7f401cd7934780db0876f47d75f1b85f8831ad17

SHA256
825b4a0fb8bce9f520e3ae1a160096a16013162866fbc75a4217a05247db2fbf

SHA512
b10a686201d1edf7a36785963ae969d73aec4554f9e0ca90b24701d75044a2e6956ce99e7c01722894c6acddf6cda1f6f675efdf696de1ecbd6d6889cc10ee16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c726c568c7b12a55239d81a4641793fa

SHA1
65340edb4a958bbfbd85e97c8c0c7bef8512ab74

SHA256
29444f4b27f3ec3c6f2e0eeb5727022ec4d49d4f80e59bea3638477b4e7a7be8

SHA512
79ef1182a6eba3697d26491dc0d7e8463f440fde2bb64eb93ae04809410056954da534471b7b441f0ee09f3b05149cb490fb43415f6c636616499bd3e78ce8d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f2cc3d496ed8b9f8d00508ee9f61ee2b

SHA1
b18cb638fa1e4f56706491ad53c0cba924c4e853

SHA256
a5e69896373a5787d2423f1bbc91d2d2d094363b1a8a15a55b94361e6839ec02

SHA512
c5610928bad058d36e9d8897a7697de8a79948ed094e8657db60caa37154222c48358d761d4f38866266f24b293b81e970ca486ab533f455add7f300fdd6e7e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
1b9228e83be5d07c7634a3b78cb044c0

SHA1
fc751fdf15224aebed182248d62d746e94ac6057

SHA256
ef5a925a54e55e16a09e46f3c846743f395fe0a47de3c98363f85f88e452304d

SHA512
7c65e7f686424dcd8d5bf8c5450f9780a6369a2a768fc9c353571e9af87244a9591374c3d676a46200e8c5ca2faa1f424359162269f309a006e5609adb4b712c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
298493351d1ef1cb24f07a78fc31d1e7

SHA1
d773b0ef86fafc82f1c6486f4c229070728243aa

SHA256
fcfa4315a8a265ed02901f3216cd52ecb1f434e0a24ec400535e8900095c895d

SHA512
c06283295e7fc85864aa545e4202614dee8b73d36df975759fb1ff12dd708111a7c6f04c200a0d2111e856fc825042e6d93699301357296456197e61579b6c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffe6b162e6e252975bf7f73a038c61c9

SHA1
885fe27b4c1e2a9796da5957e02939d143be5607

SHA256
8c31b38d82d4c5088c0c887a0b2ce82598fe81add0ee31a76e009e9bbc542e0e

SHA512
8f4b3313af2b7763cf2e59b9b7b07b7d5934ede41d5ca2a2237311bf92e217cee176c03ff5f0c1334d78b3cfb9eac8e26f1ea69c7ccd031c2520253b17021ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c737d2daef8ec5b68c155d66373489a8

SHA1
313e9f8fef591db64b1904da99d7e5007664c416

SHA256
18aa70c42f4153c2c7ab72231b1b686e08e815fc85322973f412e96f040fe4b1

SHA512
28af186285525d7110fd349c0e46df8bfaa98ad9654832023715647a8d287195a689c40ede4e4543513abd473bb1d3c7ddae4587a6983c431d8ec964ceabe1df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4d9105b64d141ec770281d2a02fcbbe

SHA1
4e36f91c657ac472b657c205ed4eb05c38f7fa72

SHA256
275b0a6b9e51fb8a68766e3600bddb8bbdea158c56ba0a3f3419894e7ba5b1e6

SHA512
d1f203a4a105a4bbe7a262f4b4492b5f70378d6e316c762c0e5d9f8c75dca28f84584fb0b4ee06c3ab2406c912c2d218b95c48ed1b2d7e3f8516b35abfd24124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbe823d3baa30248f90928a888d228f2

SHA1
dc33fd628e7ce1c0e49fce47841012a2caca233a

SHA256
f4a40aca5ab2ae5800be5c9616ef3262ee1ebcaeec1f391d95ff006b90a62db4

SHA512
e9ab866d6ac9636a17c6f650edde866af799de738f456f33ecf3232d6638be5541b9cb8b3ce34d60b1ca0bf22e5267308def15be626ef7b8c08575992c65627c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7b67c2c81035572ebb3359ba8dade74e

SHA1
e4f112a8d33207cc68be64a88fae0a146540b6fb

SHA256
f8b76a404d66a1b7a0b50034dccd9ece00e23f5c7b54b84a1b8a24502b6bfcd5

SHA512
16536c17aa18da2a2888fde7f442f2ed881bf88780985a9e98bf46ed1f65b0171721977d927a2fb6a569fe726f98df7f6129f9dfedfc5c489cf72080a73ee578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
4d46f512f98c544c28a41e22cf7952b8

SHA1
2b3b6710b5158c440216bd3026c4b25cef5c7e99

SHA256
b280c6e27ef7777edd7c7b4aaf2b24ff620e9f7248cecfd363132536e0d5360d

SHA512
7c597096dd1869cf2e80b0b59a6d5e75b4f69127680550755e27461514565b15269d595932bbe602f6fce32e4f0f8c1dd8cedbc6e7069e68b1076b92c956d4e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
77da10cdfcc5b05794f61fc7b54ce877

SHA1
7fc05f28b3ab5229a582919a7607a315776e1900

SHA256
1ca20af9e3067ccfef436e66cd2f835decfb12e553b841257263cca69e1dae87

SHA512
c9abeca5b0c659f2cfadbd1f77be63ac1b49e30fd6226ffe5323db9c988c2b50623de345ad78c937f5c03871cb8440f54cd3368ebbf802d3385acc713d18249a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e5935791-a551-4f80-8b50-ef1dcd9e8859.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
df2122e9dc9d7ff5d04c8f04e11c6194

SHA1
00195f68b5701c52eb3cf3e9a8bc796777796c25

SHA256
29cdcad724174144330a1a425dcba49c07cb2fb62bf0d27bb1137376ce16ead7

SHA512
a394d4e28bec5026d99f95e35756c45597e1e6f27770c9f7cd5a30fcb43e2ad3a538aa51a40b6d102317ec8c4f068dbd579c377f79624e6bbcbba16ce869ed9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
dd1fa046f3e9b904ea575058aa213455

SHA1
6d46a4ac46ea2493f35c5618f2850400823f89f3

SHA256
124c27d1abc2cf14a668b0b1761c7a2c409a9112b07afc5b413c2bc1ea8daeee

SHA512
ed1b8939361ee806a5d090cbd8828c4893646d7918404922668a51bbf3bfa82acfac7c0fb22dc1b4edb6398b209d52c50b8f73a6520890f9ef295c2ffce7f699

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
5689e6eb27e0c9a729700feebc49f969

SHA1
cae67fa397476c30945e60186925de868fcad0f1

SHA256
f658b3a926e6f1fe9e220f1547681a7c62916b3fe1dec5cf7d36ebe9e4284d98

SHA512
00424175a2fe31ac9df9b43ecd97299ed004908686acc1883ed1f24297b7cb436a4d4d5aad32f0852cb52f3ef2921d5917ea17aff0c81238279579c2c785d54b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
3c8d720a2dce545f3e024993294df55f

SHA1
b0b07ccdd215540db18c82f587d465bf99e88162

SHA256
db1b383a35db5b313b215c78fcae2d91d471370b92179806d64d1730d8761129

SHA512
d070d5773fc98a3ab59e5d1db6bf46b68848ab44968730f45175c795d8ca276b1fd997aa0ca7573375df54f784239d6a76bc9754779fa469159ecae8638faaa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db

Filesize
28KB

MD5
a75ad9c9dfa226a069ca4bc28ecf50b2

SHA1
409c61dc97224986c00fd5f6eb226fb841eea61a

SHA256
1a39ba89c0b113465bd2c39796c9fd63db7da0bb7b2fed14c97e72e8639b1d15

SHA512
1be21a2f27fa73273aab4c0eb5ebda54df1ec44a5a0e5859897c12c95ef018d10908bd0e2ed6c99e2aaa37884b3688d4b5f72f6eb22ef7f5c11bf009dcce8145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\segmentation_platform\ukm_db-journal

Filesize
20KB

MD5
3dc76616e66fafd348647b5d5b0e70f5

SHA1
b19c54ade79d3737e69a88fd7c9c0402f7a50171

SHA256
2db608b09edd368ec645a64ad28656f3321b039da52ce989d485e6b743a456e5

SHA512
ce468c8333c17d2e9a00a4f166e22bade58ce679fa32dd391ebbca3adfe3b3bd142abf0d3965cdebda623fc4b4547ab5ca033ac54f645126a7c8e79126d4db8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
911081cd572af70cfe07c71106d3185f

SHA1
ad98961539d2f16c8faee565ca4b8ad635468b41

SHA256
a7bd94f44c1f60e3d6fa8b602794a8cbc2b5ab012ca0aa7522b1003989ba17d9

SHA512
ebf5f2b9328d4d6978ac284f8144e43005c1afa9b508b2ef52ad210ca24b6dfd067f4e61a3605bb206462f8ccec30f25032b31f579874fb3f218828ffd880c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8d768c04d404faaaf41243aab0b31ea8

SHA1
d761e6455c0496256f92e23c94c90e23ef221ac3

SHA256
6b5eedcab8fc334688e920be87f6a166b36055ff8c09ea77b45bc60f0da72156

SHA512
9ce33320e5b647d2898438023a5c59c81ffff5705cb3a66c3a8dee01288f9a0a77ffd8e843f1ca7e798e936911053ea39f4b060ab26abe2f43318e86977d8abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ce75427eb5651c933a18a94d182c8e77

SHA1
0e6c4ac55c00bbeeabbd2a13f0e0c13afab6ed7e

SHA256
b79e4deac080e45150f4a9755a43c09e2697f8d4267d8d8fdf3034cbf0673e98

SHA512
a404e3b6c2efff60d12f402e657b1a9e419e7f6fb656c79bdbfe2cbd789afb905972bb00d340f562c4460c60d5af34dddf56c642d63445ee400a1cabf7559afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
6108235c8e7e23ac960f57799726e6f5

SHA1
cd05e5ee201d6ba413766efc0dbb2b959e70ea33

SHA256
267e8bc3c244221d4e8c469b063118e259e2176afd86357fe4a190d921a197e3

SHA512
2d9552105250952bd35184f2f1738f46a8e2e88d75160cf88c787b338c91ff4a7369b3665cda86069928a0bae2d87df9c1a7081b150026348659b0937d8aaed6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
656B

MD5
91e1782e5e4bfee04981b6e10fa450ad

SHA1
d597b3dc67d02ebbcdffeda44ecfc48a3b2406f9

SHA256
1f8a27922263bf7816308b044368d7a8aed6c80ed0430bc7115952f2158f27fc

SHA512
7f8b8bace59a1d6e1a9b853fa825b79b6d7a3a60559b27216b43ef2f17ac59a89454d5ca3bf2d278774ee7b8e9d8261bc258787c8c506a85387cd15588608234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70ad2d31d0f2331a19ec08b817bf9a9a

SHA1
4fc50d206c2b481ad1e2743cc33e8c8ae0092643

SHA256
f4a3e2511ea6bec29e7dfaa6f5a828f863dad98b51984d0c0189e07e676b130d

SHA512
acc041352f2f7e102f4574a26934c481359a0102e86277c32b23bedf7f11010c4b49ba3558f889a97bc4b632d1c78578570a13be766073dcd0314840653541c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3db7dc9d9fafd697e171c0134e572afc

SHA1
34e302818b4f9f9ba23ec6fd9827a9bddd1819d0

SHA256
33b96dc88af253d61b1d512624da8056b3f474e24eedff818fb3a6c6654f2cd6

SHA512
2b91b147e3d76d653948780dccbf187f1a16006dc27e7bf23adcaaa900c95e28bac36e9f9dc2e000e9839b8617383fce11ddfc0641be7134ffe484649985cc0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9890853781787a43b2d577b22c4554f0

SHA1
763e2b821823b8ab608dbd1240d8c947243377a6

SHA256
948eb0038ab9745d8cd69d89d2a22ff1845cc216c78609b1d69c272f8f41565d

SHA512
74ddf3bd17516b37a156421b1e5885c704a26740633f16ad1a841d0640297732c334c58725cf70fe545c46647797f9d304b0c8b83766bf113aff4bf34fe13a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd2fba8ebf093412e7c39eab443d71bd

SHA1
22f917e52fc65046c74eda64176b5b3eb3c5477c

SHA256
b4db11ec966b0b554c0d5b6c37e0af90f4aa3f4e443e63f38c04fc5ec1e003a3

SHA512
bb8aff9427b24f2a27cb584b95a134e0d94a709bd4f93f8bfa3b81070f94c7b7eb6dc4c0caf7d60650f8188420e881755c4611e32e28fd93877df6e237e2b4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebc3266a8181d0f96326354b84baa1fb

SHA1
e20d702cfd6d126cec5035ff60a0944a8dfe9a52

SHA256
11a31c699906d6478f81c3fff10a2757c90c90b6f811ca1d90784bd8f1e66b7b

SHA512
2d04df00782b4818d7e3a9bf4de819d7bdb3fb4005a3eb4cdede49c93403f580ae488274db6927e05484f54b76570069cf53854a0e589e13d7af60cd2aaf9890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c1f03542548a14997c93cdeed7d527c3

SHA1
c361549734e05b5a055ce270473cbf5bfb7269d8

SHA256
df119ca65d0be9c42cabbea5b69f329c8b6d8dd598e44e5963b8b92820f6a4de

SHA512
279358a3b4a063dba72c169dace467c6be659725af246a609dc0556e244c28708cd714e66cc573ad979a6cc37d850a37c7949b305574d10314af6cb6e1c7c38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
786c91911d87d43f3ec88a5ad8bc9199

SHA1
761008b9e5f864800aea77f33782d0aaf216b8fd

SHA256
0ff77f9cfecdcd888d5b2670179372f58ba6ff12c73b5c657cdafcaedde7297a

SHA512
0740bdb542d83091235948ee6d79bc3f31584799281862a3ba97376ce9c90b810dfec5e0290aa096e266470d576ca0aeaca26a3a84ce868744f61c3d6aff0fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5994854c515f53e1ba1e9484d898dfaa

SHA1
cdcc1baa8a32c6a7bdfbec6b41a5d4832969cada

SHA256
eccd1373e8a8b1f94e6540123c2f31d116358583fe0eb05a7b0603604ec99868

SHA512
7f6807aa7cd8f61b77556f2201144c0acefcac5ecfd8d08ff8e0eae09fa6224668f681bda5e89316aec098a530f39a5c7f082e201d768e4b488afb10892edd47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b517f49716dfb04d6825be10e476facd

SHA1
5e91e9bca8cc927196908bb059b755cf172aa04e

SHA256
b10b0375a1cee1c09875571d0cca794e3ea51f2d18e70748757401da01e16712

SHA512
35f301a582eaab2bdd97e0f8a8760d63fb28a4ae138b50f92324eb9986e28a6628a742a6c860783789eaddfb6b6d48a0a33daae0b03cf009ffffa7f9187a3271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57c334cc6703483b1e5c89d03017751f

SHA1
7942ab19cbdb7ad48f229ea1299661c0b9bc1b7e

SHA256
b50ca99bd177d5d241277214d5a9c325a9a90dd9a6a4f71864b00ffbc5b0f22a

SHA512
000b570f0a041633c9eee7f89c7bc1b6b2ee3b11265613957de2e04d236b8abe72d6fbcfc2488ab389a3563b540ee6f4edc0cb96acad78a9407abf9bfb63e9eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a199986dff54118fa39f912354d2625

SHA1
d4d1966cc330982aba81d28e83c57223906ebfbe

SHA256
9c43462e01abd9e5115e06228c07bf08b4274b175c6c56f6f5a823ca0fa5b13c

SHA512
374d7a9b67c40187c19e0abce024967e0a450e2fc867b04f1fa9c4fd0e04299b9366337941abe81b311e5f5379b49959d4749acf8479e331ad142ecdd068062d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f7c.TMP

Filesize
870B

MD5
48ec3c3835cc8ae91526d92fc4c2023e

SHA1
e44315f01bae9632887618a05308bd2e50ce8347

SHA256
ee7ca137b4bfdcc41b78adb6132ac178c6ab9462198a0d3b40d395b53a3fdd38

SHA512
66232773b04b6f42d6773f7ad31369323440e7baa26f09c1f4d4987d23645e58dfd398002fbaf0ef0b5e9f0a5a4b8e41c24ef9d5bcb084ad26178c71c8a34388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
665bad31e91c70e93b6b44a8503d3f0e

SHA1
256f58a4f5782e2e5a34afed3fbf902d2d83e10f

SHA256
5d71cc3c4e2030ed684f96eee5124dd0bcd2e8f423f3d89947140726843eec71

SHA512
629d3518ab006512667c152977c02a100b133b30bfe889e16e5377b67e93b6694dbf1e4634106c788f3814e84d8eb5d3b896af508690fac797e3f19a57804ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f0570e7b803992b08d165c0b0e14a27

SHA1
59ac61eed2a0e7051813d5e2806c0a98e04ab1b9

SHA256
45230259425f065143972fd4140b9b516aacfac2f4b88226944efbec1b4264fc

SHA512
c7227c1913e74e3308feff25c897ad6838954dab232e50bd9e85192e9ed079942004efcf7eaa181863de4d4c9eba1518aebd641d6dd215962e9d52db8531e94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e36374f3fd78f543002a5fa9ff554f9c

SHA1
994fe873b037d4854a9b427e95a1c0750dab3869

SHA256
72f557b161e7fc5dd8df8b304b2fc100eae32ce96e2600abec233bbe1c940051

SHA512
eb7487ff070c403e3a63c6f31308bfcaf5ed91e291b1abdc3f4ca1a370d19d466cd76a187e3381f8fc2de8d6cd4792318ed27914803ba0013b8a7b9ccd22f794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
93a52ec91829372ddf784ea6f45e2ec1

SHA1
afa36281f244dfd3981b4660f8b73535cbb0429e

SHA256
e3cb5febd73e8ff6fb4e5ec3ea25631c0395c20750a8984fe8434cfc58241a27

SHA512
8c32f386944ea93cf57f5a680e08662717d3677a89b5ff01b9bf2780b052bbf203fd0b49be24e72f42fc8098ab98002b9d5509b9867f5ea97f6a817ce84f21e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
716c628bed040061663bef46f2688a66

SHA1
430d4d4df8f548c30e796ac4ed4afd2b84ce9501

SHA256
cb255ea309da21fbd8974db0db4af2fb81e8a3f2a5e9604fe51b67fb6c5199d0

SHA512
046cb6107d41fad3afe9cc9e2963f08d4fe20830c472b234499846557154df0ced347e7fb2da94a1cedebe25b4a3c3f34e1161c765f2df9f67cbfe60eb513234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ab0b0537c5f1d669924f213589c6108

SHA1
2e89ed4e8488cc918c7a87ce55f66d7f6bbded51

SHA256
944ac29a8ae5418667eeb777c6f90d4a3af0e73d7c9634595084e5adea0cbcf9

SHA512
c2298733f055b4279baf13264d18c82341e0ee7135962f7d04dc7dc00bbaab7b474e47e320e42d3f40118493dba6bdd7bd218c3b173a54b0bacaf72dd27bca48

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe.id-126BED6A.[[email protected]].ncov.ANNABELLE

Filesize
3.7MB

MD5
e920b71064db8d9eb2d11e6b1d049698

SHA1
fe339fc8ff0228fa80716e5692cb93ea4c7effbb

SHA256
a57b2a3a0a338478ac24745425f7a93204162eac515df8b50015a4971a847268

SHA512
a7f389c803b77cf89f6cf70916c10c6bf802ae277c69ecc3d18a9377d561e9a737dafa226f00c87fbaf6ac24b0b4e88c004a980283d9f56ae31f7265a51639b2

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 334776.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 786202.crdownload

Filesize
12.8MB

MD5
9a651a54102ee4c38801df6ad0054c47

SHA1
56d60fec9e3a6cf91d853cde46c821207cd208d2

SHA256
39329bd5d93b3f7c13ea879c172643140e0c10afdf9f7b0a35c358a26fa5e295

SHA512
45e63ac0e7279099488006bc9b6de67632c42789c1882e08d2e850c88f35291d501a8f662d24397b09bfdf83fe6cdffaf709ac865ab7c5c1aa9660d22688fb9d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 822753.crdownload

Filesize
197KB

MD5
7506eb94c661522aff09a5c96d6f182b

SHA1
329bbdb1f877942d55b53b1d48db56a458eb2310

SHA256
d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c

SHA512
d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070

Download Submit
\??\pipe\LOCAL\crashpad_3360_FFQLPDZAOZBEVVDY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-27007-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/444-1204-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/444-1198-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/1004-1206-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-26992-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-451-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2880-1173-0x000000001C000000-0x000000001C4CE000-memory.dmp

Filesize
4.8MB

Download
memory/2880-1175-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/2880-1172-0x000000001BA00000-0x000000001BAA6000-memory.dmp

Filesize
664KB

Download
memory/2880-1174-0x000000001C5F0000-0x000000001C68C000-memory.dmp

Filesize
624KB

Download
memory/2880-1176-0x000000001C850000-0x000000001C89C000-memory.dmp

Filesize
304KB

Download
memory/3404-535-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3404-536-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3792-985-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4200-690-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/4200-691-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/4200-692-0x0000000005D40000-0x0000000005D96000-memory.dmp

Filesize
344KB

Download
memory/4200-693-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

Filesize
40KB

Download
memory/4200-689-0x00000000060C0000-0x0000000006666000-memory.dmp

Filesize
5.6MB

Download
memory/4200-687-0x0000000000F60000-0x0000000000FD2000-memory.dmp

Filesize
456KB

Download
memory/4200-688-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/4508-1053-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/22240-23690-0x00000207AEA60000-0x00000207AFA54000-memory.dmp

Filesize
16.0MB

Download
memory/22240-26562-0x00000207CA080000-0x00000207CB60E000-memory.dmp

Filesize
21.6MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads