dharma | hxxps://downloadmoreram[.]com

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://downloadmoreram.com

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
86	4376	msedge.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	msedge.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 15 IoCs

pid	Process
3620	CoronaVirus.exe
996	CoronaVirus.exe
3596	CoronaVirus.exe
3424	CoronaVirus.exe
1872	CoronaVirus.exe
2116	CoronaVirus.exe
2280	CoronaVirus.exe
4600	CoronaVirus.exe
9188	msedge.exe
23548	msedge.exe
13316	CoronaVirus.exe
12748	CoronaVirus.exe
12364	CoronaVirus.exe
12640	CoronaVirus.exe
12592	CoronaVirus.exe

Loads dropped DLL 2 IoCs

pid	Process
23548	msedge.exe
9188	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4174397412-4125106315-2776226590-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
120	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-400_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.runtimeconfig.json	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\31.jpg	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\jfr.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\hxcommintl.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzmappings	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AriaWrapper.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationFramework.resources.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close_dark.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\sqmapi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\index.windows.bundle.meta	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteFreeR_Bypass-ppd.xrm-ms.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Entertainment.winmd	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_tr.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-48.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-256.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.dll.id-02F4562E.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeMediumTile.scale-125.png	CoronaVirus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6640	vssadmin.exe
14840	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 474357.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
5108	msedge.exe
5108	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
3604	msedge.exe
3604	msedge.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe
3620	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	14260	vssvc.exe
Token: SeRestorePrivilege	14260	vssvc.exe
Token: SeAuditPrivilege	14260	vssvc.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4404	5108	msedge.exe	84
PID 5108 wrote to memory of 4404	5108	msedge.exe	84
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 3968	5108	msedge.exe	85
PID 5108 wrote to memory of 4376	5108	msedge.exe	86
PID 5108 wrote to memory of 4376	5108	msedge.exe	86
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87
PID 5108 wrote to memory of 2880	5108	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://downloadmoreram.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd999446f8,0x7ffd99944708,0x7ffd99944718
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3604
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:996
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2780
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:27380
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:14840
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:15024
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:14736
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6640
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:13868
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:14216
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3596
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:9188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16678544841226796124,4840757581699665491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7156 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:23548
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:13316
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:12748
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:12364
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:12640
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:12592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14260

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6e750c24930f45089d7cf1d8e50d7871 /t 14240 /p 14216
1⤵
PID:17060

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\63eed5940b3146d9868554eb17a17625 /t 14208 /p 13868
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-02F4562E.[[email protected]].ncov

Filesize
2.7MB

MD5
2b2c8f934e2a6d06fb4a7b525aac1730

SHA1
a559202fbff231da3a349e23009922ca1f58947b

SHA256
dc36d0c70a50c08300f385101913ff8b3a52128509417980543ab32c7e72e0f3

SHA512
74a19c4ec969d163f27a76743839f66a48f63939f3855c70af370868263f450c4b39d5f0ef710b5ee6d677d948d1fb3a7c03f022f447da3f65939f356f37e132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a53cceb7a396402c1eccd08dbe38a73

SHA1
96e06029b79791df1b1a0a7cef7508a5c44d13c4

SHA256
31c8ba2ce8a088515e4feff78968e8916c759331b7428421a990cc349a208b51

SHA512
bda381d092d0272a19350a66533ec0fac2efccfd26fc87695a8270eb3d4abec01483b31dfae75ba3f128623454d471c9e948c44df478edbdb6b5a15377637036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a451e41e51facc395053e7b74c3490d0

SHA1
c866ac24af529f0265e99bd88529da46c9ff6dcc

SHA256
cc33bfdf9c856a2e9e9aa8eeddf9723a0396fad82b0dcae7a408bb4c84fdb584

SHA512
553489450d55d7adb9c859e521d0e46961490e54c533c826adc8c546ca0b51ecda82c159801bd060a291e724355c6d4fd2ee603ff65d4a15603f34f1472664fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dec771edbd8747704357b17a0a3ad548

SHA1
a60affb8de1d0df1c6a131e13350edb9b6392caf

SHA256
cd765f2de5fcaf10c6d9f28ed354286c35aeb1eee93bf8f74cd31b7a9e31204a

SHA512
df463b214148b8d7dfe8c2859a7a1c83d01b5df01bfc087de3b3c3e2e48b3a10c34ef522f1d63564239172c79e6f4f57723a85d05b9047be27780c1a260107d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
28e94bc0886789c950488033b6c9c6f7

SHA1
17d4fba9fd032c4779761d5851e993714d9e18bb

SHA256
cf55a6143fc2bb3929229c544d0c822767c5ebfcf27748e4209441d53fb7fce9

SHA512
d9fc2b19eed6ea58346e54f9928f9d03b9576a4fb9ab5f23cc67c573eff2f5ba7d7642d385fb804c345fda0404d0310ed69b349e5f15441125da2a585403ac1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e28d257d0ad8e57addd6944d226ea837

SHA1
35b9a24271566238029a1f0bf355ff72030eb689

SHA256
833656f3ff2658a3a626c92ae38f63095d135160209dd8d4a54dcdae51234912

SHA512
fd267de367a0a3e0e312bb545df6bad16cebf26bd00ee0cac9f48c5a5ae72a6dc08c61c26f9b6359527b21eaa16162296a68eee2a5b56ff348d7a086d34c8767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c70db7f7e1de8ba1b24c9c160001ee8

SHA1
6b50acd17e67e22a50d27c503f2c6f9413c52c16

SHA256
37ec003c9a5ecb441809e115754d3940794ea92fa7c48380ad12f33c8cab9c09

SHA512
7b7e601954a5e7c0096d8abd4db72722f4f2c387ee0b38c6c496fd306a6b8e20bf10ca1c32b1a4f17350b2eeda4d19dab39e5b89e5a7cba20123a2238898bf3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0b40e3eb2a4eaa48b1cdb0f3b0490d2a

SHA1
f1045d6db1a1ddb84229a62d9ec4423dd59fb35b

SHA256
7fdba20de7fa2910e1f85f911498fc48a34c8c3dc1192ccfed48b1fb467a59f0

SHA512
4f3407f99615ed2870ad4fdd7066b6af466d80d3838337eba9c1af7d0731a08a01c28c6dede5ad547a0f8a409ccb2407a1b6b858a8304d6bec6414545b24c45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a59f8e03d79d70d0f4e6bb10680670dc

SHA1
62f29755ce995824599fa9687538807baa80cec3

SHA256
84ca526690b67ef24f93c24602e21d4cda58d8faabb16dbdba8f1c7e6dc16dcd

SHA512
4bf443b8fdd60c9532dec4190afa700a245789305013bf91ed6251712457859e82ca18587515af656992e907d977825866492c30c63c08238c4aab527fbd72ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
391099070ae1dd4a1a546e9bc6fa48b3

SHA1
3322472b39b6decc90ada4dff5c5f27b2ee756ac

SHA256
e854e77058e7991327da2e2f9ed3c21b8a65db504822543ff0cbcac3e60e8b84

SHA512
f191609ec9b58d2ba20664ddf489e3e2339dd97e1a4bfe626a56c79d5b646a9b05f0ee72b54de94e026dc6e5c71e179e2e10ee059f08b3672e916cf59a573950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4375048f148d62869d13c038b534d729

SHA1
efb0839d8ac9cb26dcf368e70ad4b73d9cfae2cf

SHA256
2e0ad493f5309e67c487e1b291c98edb95d120cae2931fb491487d9c0ddcba22

SHA512
fe568981a3f5b1095f3dbf13f13f0a3956c3c33cb3c69caf4d85d499d160acf459882ee67d9f8011d8f64bc0cabd332dea8fba7808278cbd99e00556283e6db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0e8d5e8a053b0b93b583b6d14a18ff57

SHA1
2c6d85ed01b62ef1e94b8b26090a874991db7da0

SHA256
5cb6b5e89ccc77c765bd2940716ac2c2399f2f888466fc1dc32d86cc5bf8010b

SHA512
d353fb43c8eb126eeb837c4e8bee7e05e19e62f1c2343f98852000d187106f280bbcef70c27165765db504d5dcd14a1d58db8796e04034b547b2345e44bfd2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
56c625e61688d644a4ce97fbac775791

SHA1
32cef68db1e027641527d5fd701df4aa2d0413a4

SHA256
15796356f53f6468583a6d4c6b7f2319f9e08cce4200909c512439ab754d8183

SHA512
7b5a810a2b65d4a9d35808ba77455c09f36e5d9c876dfc17b870a06ab8c54fc96dcd343788a754cb4d2e4a574f2956f5d9b13b1972d1c14dc83ddc1158df5438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
31a483bf451b41e9e6fd489ab69169a0

SHA1
bce5e8eab0f3308189758ada36f065df46746888

SHA256
827f4de96613fd5b883b3cd9e3c2c4d35e3635d9ec1f195979acb85f67ed1086

SHA512
448426800f67f1cb33d47c421867b303cfdde7c74051ffd51c0544742dbaaa4c68db5187499d0c69cdee8e3e5a4d6e6efbdc642dc01f32bc508b2c767696b990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58171d.TMP

Filesize
1KB

MD5
8896526bbbf7a66e726265f8c2355339

SHA1
983b879e53c4a54f5d77e6b57a4ee5d1c10c3df1

SHA256
e7c0f2258505bd78c102e526b3a2efb7d3bbd60038ef7bfba7ef1c118920b830

SHA512
bba3af3dbbb60e81e9790a777b30cb0bd9b1a86fbe3258c1828e929242438e70ca93984567d16d28ed710e83b8fef069f975035c9e91980041954bcded73a705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ee913efbc2cb367356b3c778ccb2206

SHA1
ef9a3664dbe0727a0858acb2c59166de59193938

SHA256
0174ff747b8516c88140a4b3dd6730020ad91c4a47e1e078df04faff4f6e57fc

SHA512
b420ca8cbb067a3b8c5f160fa9bce8351aac4ec0f5684cdb3a85f2c0113e7906ba836b16ccf4b96448b86902883316d01fdad476e05ab4efae8f9cee64ea940d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a4b4d5332a6e4c5a7041613654584e4a

SHA1
2bbb979c5019f2733f134ac855eb0629505e8fcc

SHA256
822ed72c3899fd69e2d54ee5415fca3056c21904f2b4b86cd56f4b0a321692d4

SHA512
a91a903c50d7c00b08d34ac92cced7b41b2a2f0b1879e5c392606855f8c17ed90ed1be6e7e53e87272c8fa66d29680646ec06414fc3f6988caba2d8aa1c9c12f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74a3c8bbf9ae198f013c0e7761ded3d1

SHA1
5cd6c45cd972cb09a0e806062f8c0531332fded8

SHA256
5d02635371857619951774bb85c98531a6e8f8a0bc145a320fe550009e9e7a42

SHA512
988574be839e6629c9c379a1056144d7ca81f9177c5d91b481e27464c969ec1e82358c0251b718fd02f273912c5d6ac34fe904dd7f9157b7892e57d5045c93be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45eb9f688cedd1eaaf23a9857e2cf855

SHA1
1decb6385521b57d5d1e5a60af5c41a663846021

SHA256
04f12cd74d1c329b7542a3d97fa4bcd138395477757139614a4071af0b2de40a

SHA512
0cda449468fdb92349b24de80d760d4578e54ed750218d852bda842fd3892f6135ef70e500024623574f934e3fabbb3ca7cdb447afbceaeba5ad18edd30c2c31

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 474357.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/996-610-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/996-4751-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/996-449-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-6240-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-6165-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-456-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-6241-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-6167-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-6242-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-6169-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3424-6166-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3424-6716-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3424-453-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3596-4887-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3596-451-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3596-4985-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3620-460-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3620-4626-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3620-448-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-7044-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-459-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4600-9721-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12364-25802-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12364-25827-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12364-25818-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12592-25829-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12592-25825-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12592-25804-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12640-25803-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12640-25816-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12640-25824-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12748-25817-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12748-25826-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/12748-25801-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/13316-25822-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/13316-25815-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download