Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 16:05

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Cerber5.exe

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___6Z01E_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/03FD-2E19-6080-0098-B54D Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/03FD-2E19-6080-0098-B54D 2. http://xpcx6erilkjced3j.19kdeh.top/03FD-2E19-6080-0098-B54D 3. http://xpcx6erilkjced3j.1mpsnr.top/03FD-2E19-6080-0098-B54D 4. http://xpcx6erilkjced3j.18ey8e.top/03FD-2E19-6080-0098-B54D 5. http://xpcx6erilkjced3j.17gcun.top/03FD-2E19-6080-0098-B54D ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/03FD-2E19-6080-0098-B54D

http://xpcx6erilkjced3j.1n5mod.top/03FD-2E19-6080-0098-B54D

http://xpcx6erilkjced3j.19kdeh.top/03FD-2E19-6080-0098-B54D

http://xpcx6erilkjced3j.1mpsnr.top/03FD-2E19-6080-0098-B54D

http://xpcx6erilkjced3j.18ey8e.top/03FD-2E19-6080-0098-B54D

http://xpcx6erilkjced3j.17gcun.top/03FD-2E19-6080-0098-B54D

Signatures

  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

  • Cerber family
  • Contacts a large (1105) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Ransomware/Cerber5.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa048146f8,0x7ffa04814708,0x7ffa04814718
      2⤵
        PID:1940
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        2⤵
          PID:2796
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2772
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
          2⤵
            PID:1904
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:4660
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
              2⤵
                PID:3712
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                2⤵
                  PID:4840
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3428
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4748 /prefetch:8
                  2⤵
                    PID:2764
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
                    2⤵
                      PID:1828
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 /prefetch:8
                      2⤵
                        PID:4136
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4104
                      • C:\Users\Admin\Downloads\Cerber5.exe
                        "C:\Users\Admin\Downloads\Cerber5.exe"
                        2⤵
                        • Checks computer location settings
                        • Drops startup file
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • Drops file in System32 directory
                        • Sets desktop wallpaper using registry
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4960
                        • C:\Windows\SysWOW64\netsh.exe
                          C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                          3⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:4972
                        • C:\Windows\SysWOW64\netsh.exe
                          C:\Windows\system32\netsh.exe advfirewall reset
                          3⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:3892
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___QFSQH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:5668
                        • C:\Windows\SysWOW64\NOTEPAD.EXE
                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WWFH8IAX_.txt
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Opens file in notepad (likely ransom note)
                          • Suspicious use of FindShellTrayWindow
                          PID:5636
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          PID:5996
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im "C"
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:6100
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 1 127.0.0.1
                            4⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:5136
                      • C:\Users\Admin\Downloads\Cerber5.exe
                        "C:\Users\Admin\Downloads\Cerber5.exe"
                        2⤵
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • System Location Discovery: System Language Discovery
                        PID:3608
                      • C:\Users\Admin\Downloads\Cerber5.exe
                        "C:\Users\Admin\Downloads\Cerber5.exe"
                        2⤵
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • System Location Discovery: System Language Discovery
                        PID:3524
                      • C:\Users\Admin\Downloads\Cerber5.exe
                        "C:\Users\Admin\Downloads\Cerber5.exe"
                        2⤵
                        • Executes dropped EXE
                        • Enumerates connected drives
                        • System Location Discovery: System Language Discovery
                        PID:2544
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
                        2⤵
                          PID:5624
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
                          2⤵
                            PID:5576
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                            2⤵
                              PID:5976
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,13980048044143526664,11398764258239330382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
                              2⤵
                                PID:5896
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2564
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:1504
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:1176
                                  • C:\Users\Admin\Downloads\Cerber5.exe
                                    "C:\Users\Admin\Downloads\Cerber5.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Enumerates connected drives
                                    • System Location Discovery: System Language Discovery
                                    PID:4368
                                  • C:\Users\Admin\Downloads\Cerber5.exe
                                    "C:\Users\Admin\Downloads\Cerber5.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Enumerates connected drives
                                    • System Location Discovery: System Language Discovery
                                    PID:5724

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    d7cb450b1315c63b1d5d89d98ba22da5

                                    SHA1

                                    694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                    SHA256

                                    38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                    SHA512

                                    df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    37f660dd4b6ddf23bc37f5c823d1c33a

                                    SHA1

                                    1c35538aa307a3e09d15519df6ace99674ae428b

                                    SHA256

                                    4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                    SHA512

                                    807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2069dbc4-875b-4b03-93ef-e7a924a681e1.tmp

                                    Filesize

                                    5KB

                                    MD5

                                    9a08b79c90bd28dd57a47e2395c1c793

                                    SHA1

                                    09cbd7918ed90fc1aedb564d73967663d14e3e0a

                                    SHA256

                                    52778f71d903b0001a98a69080b53812eff80a70a3e9fdd1e41685f9dc1b69ce

                                    SHA512

                                    d87b782d0f5e0401a7bebc325c34431308552a4631c7b7c3333f93ded62c01c16665637209bb5c66b5a94872a2b1ff3cce82d2893bebaa069d3e2b5748c57b93

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                    Filesize

                                    261B

                                    MD5

                                    2c2e6472d05e3832905f0ad4a04d21c3

                                    SHA1

                                    007edbf35759af62a5b847ab09055e7d9b86ffcc

                                    SHA256

                                    283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                                    SHA512

                                    8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    ecb4a4752df3a633451420cdc49a12e3

                                    SHA1

                                    ecf993ebd7944e4a294b600200620bc6eb3ce308

                                    SHA256

                                    554f5c2f5814f88a101ed81ce855b627b13a53d100c5cac470ef0b62aa84ce50

                                    SHA512

                                    60a06e1e2fe270eb5322832c202183d6f9e3197665d8a1920d1f67206739245f92cbded830dc04ac21d8b3bee82ca7ef86aa40253bcaed0f39764b23863fde9c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    46fa383fcbfc59afd72a27ec6ee96273

                                    SHA1

                                    cde95348df8eefca217234b1d0970c96cc66cec0

                                    SHA256

                                    aff9d3ad75cae8d1c574965356b11f3398e2ff9cf97e98f8d34191001a3d486b

                                    SHA512

                                    df09881a2769abb7ecc6c93851ba39af9f1e0cefda93ef5891a7d7da1842c93e64bfe4dc2e98d4add96f37186e65a90ebfa9bebc02c32044987395a2b77ff5eb

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    5f93d1251468c532ac20a27d749bca33

                                    SHA1

                                    c8daf54109770e78e59a1bdbbf43872772fbaa00

                                    SHA256

                                    d65bfad62162a1e8b16e7c88ab4b737cc27bcf92bbd1b835b66cc144b4f56ada

                                    SHA512

                                    43c5354345aa7f78b255e3e94c867e210e23aad70a8fd3e999832e696c9afa0a85117e1d6c9f695b79b33c1f735d803ad005a53c256f1ccfef69387d616d6dc2

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    44cdc5e86748ef91bdadaf4e0f068da2

                                    SHA1

                                    98e0a9c421a70c4f7ee6311cadf9f3388a1bcbe6

                                    SHA256

                                    1e082c27263b21eb760c3a36b2562b86fcf7af17f405fc4aa28c8b654de27164

                                    SHA512

                                    fa10bb74caf935fd701a7ad80ca6a4ff269c89dfb297e83e19b55dfd01c6b55f40951f094a428b2960cb109fdb6ec281d0e40fc12999a5d09435728331868023

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    11KB

                                    MD5

                                    f7fb51d9f9936ea33bf1c4b6e263e56f

                                    SHA1

                                    68c37adfd076c3f0637696828f4e3ef81db87caa

                                    SHA256

                                    e730320f02adccfa0945239ac2397bf174113a073645fadda67f081b23aef39d

                                    SHA512

                                    48572c7da29c65f04da307e1436694dca00097f88e619fb7180ad0d2b09855c3d9dfbf4c39622889c7d746cf1d00a4f15e1344f25aa5747ef739ff226e8c4d79

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    45472d5b7f9a080db132474f77136198

                                    SHA1

                                    bd5d9ab60ce302b406552213e624992b13e2105c

                                    SHA256

                                    7802b2eb17c026c4751d95c479e5755f42ca0a73b0c5d5cd2f8b3d17b7a1fa83

                                    SHA512

                                    7096bb1d86e3ce28003876d4b29130892465f3bbc1acf4127a123312f875c4e3b3fd5493c1c3697542cf70e075541f374642664d6bef3e9b70f86e884f677a75

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    d6126e4317bdaa13a094945939aa9990

                                    SHA1

                                    92197676e1086483aa1fba7ca08a2652d8f64388

                                    SHA256

                                    d24d275dbe42dd3cc1c264191aca749f8efab6eb2baddc8a44bd1fe91048e871

                                    SHA512

                                    3da5aae5300c9afc586170f919727e8bc68a24568d82510d0246f400f570ca1716ce50e317e8419386c312b9ed93ed14584a7e6d2c4891bc6e7948c9d2452399

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    a47739d0c06aea77eecc5254e32cc81d

                                    SHA1

                                    a3d2a0c8944f6dcc710e8b944cd6d48131b45731

                                    SHA256

                                    34eae7204f853e2068b3b991ffe1f7aeff2160c4c17799d71f267e2762479eb8

                                    SHA512

                                    fc5489d243f983d04f324e81da44e62f20b68cb1fe7c803c00d83186a3c7fd956ca262085c3b7161c838998c6fa62aae90312095eeec0142e505b514857d9de8

                                  • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___6Z01E_.txt

                                    Filesize

                                    1KB

                                    MD5

                                    bfe78b81783c5f2bf62fc91298cfd3fc

                                    SHA1

                                    ddc864962d730e3cdf16a82084cf07f0e45ee7e7

                                    SHA256

                                    294b7f3849426520e65e11c73e0c80274dd6ad8b73d2062f0a92e54ec0a44a1c

                                    SHA512

                                    005318d9bff1ed34502c6b844b4091b0a670c730482fd6d91f047eb7c5eedc26f0d5ae18b1a335bf7891187028a11e8285a26f28e18b367fb01002ddccf9a707

                                  • C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___WREKGT_.hta

                                    Filesize

                                    76KB

                                    MD5

                                    bf88acc2f7070557701b08fee37d0d84

                                    SHA1

                                    d96cab630b4869e8dbd855d4c8aeb19620164cf3

                                    SHA256

                                    d6ae6e0a990aae0c8b48c0463ec5dfc518dcc9fd06c513f7064dcb15acba9c14

                                    SHA512

                                    1a43c5b813b66771bda9b759b66d9dade3da173e2fb20999869942c72675c9ee112f52f5129acfaab832e5fa50b3bc751a990a112976400311711a23c619027f

                                  • C:\Users\Admin\Downloads\Unconfirmed 315615.crdownload

                                    Filesize

                                    313KB

                                    MD5

                                    fe1bc60a95b2c2d77cd5d232296a7fa4

                                    SHA1

                                    c07dfdea8da2da5bad036e7c2f5d37582e1cf684

                                    SHA256

                                    b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

                                    SHA512

                                    266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

                                  • memory/3524-91-0x0000000000440000-0x000000000044E000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/4960-516-0x0000000000400000-0x0000000000433000-memory.dmp

                                    Filesize

                                    204KB

                                  • memory/4960-504-0x0000000000400000-0x0000000000433000-memory.dmp

                                    Filesize

                                    204KB

                                  • memory/4960-125-0x0000000000400000-0x0000000000433000-memory.dmp

                                    Filesize

                                    204KB

                                  • memory/4960-561-0x0000000000400000-0x0000000000433000-memory.dmp

                                    Filesize

                                    204KB

                                  • memory/4960-87-0x0000000000400000-0x0000000000433000-memory.dmp

                                    Filesize

                                    204KB