Analysis Overview
SHA256
0c6ff15670dd2c520c42951d382e94a022936fc865c37c30357f5fb366f6c84a
Threat Level: Known bad
The file Software v1.24 loader.zip was found to be: Known bad.
Malicious Activity Summary
Meduza
Meduza Stealer payload
Meduza family
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
outlook_win_path
outlook_office_path
Checks SCSI registry key(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 22:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 22:40
Reported
2024-11-10 22:43
Platform
win7-20240903-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Software v1.24 loader.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 22:40
Reported
2024-11-10 22:47
Platform
win10v2004-20241007-en
Max time kernel
412s
Max time network
396s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 2368 | N/A | C:\Users\Admin\Documents\software v1.24 loader.exe | C:\Users\Admin\Documents\software v1.24 loader.exe |
| PID 2800 set thread context of 3884 | N/A | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | C:\Users\Admin\Documents\virus\software v1.24 loader.exe |
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\Taskmgr.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\software v1.24 loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\Taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\virus\software v1.24 loader.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Software v1.24 loader.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\software v1.24 loader.exe
"C:\Users\Admin\Documents\software v1.24 loader.exe"
C:\Users\Admin\Documents\software v1.24 loader.exe
"C:\Users\Admin\Documents\software v1.24 loader.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\software v1.24 loader.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
C:\Windows\system32\launchtm.exe
launchtm.exe /2
C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe" /2
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\virus\ReadMe.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6c3bc11ah6e25h463dh8070h500cea2de4c9
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x100,0x12c,0x7ffdc33546f8,0x7ffdc3354708,0x7ffdc3354718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,9920250236091561258,11791580492796656465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,9920250236091561258,11791580492796656465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,9920250236091561258,11791580492796656465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault83e4e199hb09fh4d51hba21hb0f4475094f4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc33546f8,0x7ffdc3354708,0x7ffdc3354718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5999680625375449442,16973078402224462423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5999680625375449442,16973078402224462423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5999680625375449442,16973078402224462423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\Documents\virus\software v1.24 loader.exe
"C:\Users\Admin\Documents\virus\software v1.24 loader.exe"
C:\Users\Admin\Documents\virus\software v1.24 loader.exe
"C:\Users\Admin\Documents\virus\software v1.24 loader.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\virus\software v1.24 loader.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 162.181.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| GB | 23.213.251.133:443 | cxcs.microsoft.net | tcp |
| GB | 92.123.128.176:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.251.213.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
Files
C:\Users\Admin\Documents\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\Documents\software v1.24 loader.exe
| MD5 | cdb737ca563007eca0a4248f10127d44 |
| SHA1 | b6e25b3cd664167a2869a6698a0f5a05de7f75ba |
| SHA256 | 6699eb14a5ac8482f2a56a7d5856a9779aed92038726cc46f3b1d1847e9bd672 |
| SHA512 | 8575fea4e3bc70dd3f29c1c34224d61db7a191a8a47035b90a1915c54053b6cbcff10edc7d580abf2721005a194b53cd7ca428da18fd55a627b5c17ffe8288d6 |
memory/2368-488-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-491-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-496-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-494-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-489-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-490-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-502-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-498-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-497-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-486-0x00000000C0120000-0x00000000C0121000-memory.dmp
memory/2368-485-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-482-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-484-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-501-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-509-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-510-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-513-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-514-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-519-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-520-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-516-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-515-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-521-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-527-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-561-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-556-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-567-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-563-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-555-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-552-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-550-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-544-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-543-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-537-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-534-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-532-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-531-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-525-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-522-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-549-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-538-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-528-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2368-571-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\Documents\virus\jre\bin\msvcr100.dll
| MD5 | bf38660a9125935658cfa3e53fdc7d65 |
| SHA1 | 0b51fb415ec89848f339f8989d323bea722bfd70 |
| SHA256 | 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa |
| SHA512 | 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1 |
C:\Users\Admin\Documents\virus\jre\lib\deploy\messages_zh_HK.properties
| MD5 | 4287d97616f708e0a258be0141504beb |
| SHA1 | 5d2110cabbbc0f83a89aec60a6b37f5f5ad3163e |
| SHA256 | 479dc754bd7bff2c9c35d2e308b138eef2a1a94cf4f0fc6ccd529df02c877dc7 |
| SHA512 | f273f8d501c5d29422257733624b5193234635bd24b444874e38d8d823d728d935b176579d5d1203451c0ce377c57ed7eb3a9ce9adcb3bb591024c3b7ee78dcd |
C:\Users\Admin\Documents\virus\ReadMe.txt
| MD5 | 74133194d36f34e3420b720225df4cb2 |
| SHA1 | c86d448a9233cbb8fcaf55380c4005e13f03e914 |
| SHA256 | c6270012e406d50641e4bcddfb45b56ab639d2142e6d76d0c84139028b68169d |
| SHA512 | e86cc52fce0b24e27bb301eed8dc9efb50b94d487439bdc9482a8d986a4a52e42b7c3a5c12d0fb2f32a6ac16a91242f42f3a6fc59b5d6479bc60f466fc675694 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 37f660dd4b6ddf23bc37f5c823d1c33a |
| SHA1 | 1c35538aa307a3e09d15519df6ace99674ae428b |
| SHA256 | 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8 |
| SHA512 | 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d |
\??\pipe\LOCAL\crashpad_1100_XLNPRCCUZFOIQTDU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c074117d087b255727d4ec85ac7bdb67 |
| SHA1 | 4cc075e9f07cd170940d6c29e90aba8ff6bde071 |
| SHA256 | a1b6673a267fbf8fbe896255293be16c84193f2f8dbacff4f6213e06b722fc64 |
| SHA512 | a93be55cd3fb8e4f6638cf62db43573b15f21dfaf0cd32ab43fa9b7af8cebaffaa5a4b5096e107a32f674af7aaa7575bc984b2ce36652f70b5c43ce898bcff4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1560100aa229fe4a429bd60a0110136e |
| SHA1 | 6332683e509f410945931d3db91fc4adf90a5465 |
| SHA256 | db47ae7c7f924af11e0eb874729320f168fd3f37d8b0a32841c55a5747d30df1 |
| SHA512 | 256e32edf6c4155ea4d355643fd681ad2ac5759833ad7d0dfdf647314438d386b2500dc0e599799579184abe0bf1afa6f827aadf0ee5e317c565ab4443b4dcf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7cb450b1315c63b1d5d89d98ba22da5 |
| SHA1 | 694005cd9e1a4c54e0b83d0598a8a0c089df1556 |
| SHA256 | 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031 |
| SHA512 | df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 57d836dd19c4fce9ce3589caf2bb08a0 |
| SHA1 | 92e14ffd0a9b99ff76d1b315eef115087408539b |
| SHA256 | bbb9d4f33d4fe2b1860fbe1a54b1f9c018bbc9226e8f4daa17e2f29b3a9b6ca9 |
| SHA512 | 66ffb1e846ee670d0499c3ba8717d7e243ac830948d4ba2087c3851fa550a1150cfc03b933723e32db31038a2cf63885c76b2be97c5c6184904b3874fb00f88b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 5820edb1acfe1c7372c6375fdc395e76 |
| SHA1 | a3e41356e5d644ff9f9e3e0d10c85c1ef1f872bb |
| SHA256 | c1b048dec8cfad07a3486e9964f66a0c587c6eb0972846e327bf81bbd97c3520 |
| SHA512 | 4ea5a3aef88c59f486df1a9ea256f842f37fd86d052ab1a663a837162cefb0cd495a3d3fef40ee78e619dc92ddb65f9a7e65efabb683b3b24e6e29de8c986cd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 79358ba3b705a081b3f142670af69bfc |
| SHA1 | f39e7fbc5894627aadcb23f6d704a20b21e1add5 |
| SHA256 | 74f573ce9ffb63c6c7c229b8c9ada77ec245deeb90d89c5424a871e62cdc849a |
| SHA512 | 8a51a0d79553f96faff7696ded68b79a4ec1b65d8db1ceb50d9bdbd418e71dc7d656c08061a9e1821470795963575985757b7d8e6629b63b6be5958f86937429 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4df4574bfbb7e0b0bc56c2c9b12b6c47 |
| SHA1 | 81efcbd3e3da8221444a21f45305af6fa4b71907 |
| SHA256 | e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377 |
| SHA512 | 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 42cdd5b27da64c622d23b3f20a5ef7eb |
| SHA1 | e7e51babb5cbd8fca925033fe5144319885e6c19 |
| SHA256 | 14bb073094a0e282f28b12e5d76cae2f964ae9377afaf54c3001d3394322080f |
| SHA512 | 2bb4261df04def2699ff949e575cffb8d0ef4e66b0ea9eda5c20207cbb70953848425ea63a796acfa2e27bcd1569e770c389da9a8cdf7febaff7e5c67394c1c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | c79b4ed062c85349d7d18af7e2d09d9f |
| SHA1 | 67be43a4b2f4a364265244ab050d75f65aecbd37 |
| SHA256 | 6d4c33f91e00b4461d5e40bcb72b8c5d4f67f3cd988c1685639a1e4d2c62a1fa |
| SHA512 | 2d44916064849ca10b7724f9225b015f3f226d9c4b183c204d93ee2bdc9443b40fc54f9622fbd05f8024933bdad9c74fb6802d978aba77b3182d866928a0aaa6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 65f0b1756fda7f3c776a0dafb4ad69b8 |
| SHA1 | 1929d64c190f226322d09b7e8f6883a4165c1709 |
| SHA256 | 8f6f33a33423f99af1888f6e591e8a141b88b43a28141f101cac013771788cc4 |
| SHA512 | 7e87d14cbe03eec5cdb85389f35ed746319c2c458160861acfe64e4187c8b0dd95c12dd207d446eb567ff886e35941acdca35536a1c5269472e0e4f48aab4723 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 63b35070409f1888f0839e9f19efcb14 |
| SHA1 | 2e4eed239da173448d4413d8afa57ecd91f28c72 |
| SHA256 | 11a15ceab80713c5fb89e74b4bf4782a9704922be43b4c5f95f5d631c2d6b7eb |
| SHA512 | 47bfe39f85e791e5a041380eb3271278ecf1666e6418dc198ca4880e2880a1bca7cfe2cfb36450996a37a86a33895d7a242a242655798e892f52ba670b0c6ea3 |