Malware Analysis Report

2025-03-14 23:59

Sample ID 250221-nc5e4azqgt
Target http://virus.com
Tags
dharma discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://virus.com was found to be: Known bad.

Malicious Activity Summary

dharma discovery persistence ransomware

Dharma

Dharma family

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer Phishing Filter

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-21 11:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-21 11:16

Reported

2025-02-21 11:21

Platform

win10v2004-20250217-en

Max time kernel

311s

Max time network

330s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://virus.com

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus (1).exe C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus (1).exe = "C:\\Windows\\System32\\CoronaVirus (1).exe" C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2278412438-3475196406-3686434223-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CoronaVirus (1).exe C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\asm.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Primitives.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebClient.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Loader.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\7-Zip\7z.exe.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\7-Zip\readme.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\ucrtbase.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.id-5C134D26.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\AgentTesla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\AgentTesla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Curfun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Curfun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Curfun.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f6529ae18f81db01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{A5CF9B06-8E4A-41A8-A9E6-BADE4D4E61BF}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DE2BDED6-F045-11EF-BD36-6A2C1800A637} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell\open\CommandId = "IE.File" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\.crdownload C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\.crdownload\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\܈栁蠀㦰잓翸\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\袠誤ȁ\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\܈栁蠀㦰잓翸 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\袠誤ȁ C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\crdownload_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 229805.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 864767.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 539206.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 383708.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 362658.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 290251.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus (1).exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\AgentTesla.exe N/A
N/A N/A C:\Users\Admin\Downloads\AgentTesla.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1384 wrote to memory of 1804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://virus.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b3a246f8,0x7ff8b3a24708,0x7ff8b3a24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault405cc069ha2ebh4065h9a69h2c488d0ae8ac

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8b3a246f8,0x7ff8b3a24708,0x7ff8b3a24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14322817005695570737,12569888184543836389,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,14322817005695570737,12569888184543836389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Users\Admin\Downloads\Curfun.exe

"C:\Users\Admin\Downloads\Curfun.exe"

C:\Users\Admin\Downloads\Curfun.exe

"C:\Users\Admin\Downloads\Curfun.exe"

C:\Users\Admin\Downloads\Curfun.exe

"C:\Users\Admin\Downloads\Curfun.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5844 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8

C:\Users\Admin\Downloads\AgentTesla.exe

"C:\Users\Admin\Downloads\AgentTesla.exe"

C:\Users\Admin\Downloads\AgentTesla.exe

"C:\Users\Admin\Downloads\AgentTesla.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Unconfirmed 383708.crdownload

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:17410 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Unconfirmed 383708.crdownload

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:82948 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14669499805972256424,13779347259950096779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Users\Admin\Downloads\CoronaVirus (1).exe

"C:\Users\Admin\Downloads\CoronaVirus (1).exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

Network

Country Destination Domain Proto
US 8.8.8.8:53 virus.com udp
NL 86.105.245.69:80 virus.com tcp
NL 86.105.245.69:80 virus.com tcp
NL 86.105.245.69:443 virus.com tcp
US 8.8.8.8:53 www.virus.com udp
NL 86.105.245.69:443 www.virus.com tcp
US 8.8.8.8:53 oxley.com udp
NL 85.10.133.119:443 oxley.com tcp
US 8.8.8.8:53 code.jquery.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 8.8.8.8:53 files.efty.com udp
US 104.26.9.138:443 files.efty.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 224.0.0.251:5353 udp
GB 2.18.66.65:443 www.bing.com tcp
GB 2.18.66.65:443 www.bing.com tcp
GB 2.18.66.65:443 www.bing.com tcp
GB 2.18.66.65:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 104.86.110.96:443 r.bing.com tcp
GB 104.86.110.96:443 r.bing.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
GB 2.18.66.170:443 th.bing.com tcp
GB 2.18.66.170:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 20.190.160.5:443 login.microsoftonline.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f4a0b24e1ad3a25fc9435eb63195e60
SHA1 052b5a37605d7e0e27d8b47bf162a000850196cd
SHA256 7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb
SHA512 70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

\??\pipe\LOCAL\crashpad_1384_COASTDYBATATIABH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4c9b7e612ef21ee665c70534d72524b0
SHA1 e76e22880ffa7d643933bf09544ceb23573d5add
SHA256 a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e
SHA512 e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5674d26acb914b2d7cc0134299abdebc
SHA1 840e317b26da0a3a98ca7dbb3fe36e14a9c75d24
SHA256 a0ff06f51f2621f0a47b85eaa2009c1e6c577777a1ea788a9d45b869b8f14a90
SHA512 8b50a5bd15d34b49ea78081f7e96ccad1ed129e319238d9072adedaa945abe94403026d085dfa5add5d537901e4eb434339c3aea01d5b183f1aada6dfa17c8fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 88eac3a04edce892e6c38cffd570788b
SHA1 1c2cdc9a298ad7751e0ac833665e7898efe85a29
SHA256 a2e8cd0d34a3eeb2c3a8c816589b1ddca64ffb394e788d910162687afaf30845
SHA512 0c0d0484ea5b5a57b0bfc380f41f222c37f64a06a188127c0659f322975719f850a9c43e99c5d7f6785bc40b8c3195b849122f6324eea510f84b44ae1fe53d49

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 41f2c59362404a02100154add4787302
SHA1 568a34c9bdc63e040d7281134e10828462704cb2
SHA256 199f63ebe6ae167259ab472bbad58e2c30aa1e093e986474a260f705f981f83e
SHA512 0d568e405da169ac74a569e7f2e82feb6568563d50c2c65cc1a10efbd8cae2cb06bf7dddef179268ed234174443b194ef91372a5bfee19b75f10aee08f5dc22a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6ee98a21ed596aab296e321af32ccd86
SHA1 5add8b52e1c9656edb6310d4036706b793a94beb
SHA256 e78d3d259924a5112ce71f2e20ab7e9314dd94ddc19aeb710b8f9a20f2b2dcb0
SHA512 f2db596b6e5ef7c4fc916082a9a090d9507a1b6bde1de108cdea48ca3378640d81b9dfd80054725e02ef118c8355fefdfabf6ca35453955e4b0c79e5a047a987

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d060.TMP

MD5 de15fa0e8be4e28a5eeeaeef683a2751
SHA1 a471e18b4475562fb272089e9e2dc45674585fc3
SHA256 95bf166e020c670f0a3c752b712a9583856598e19c10828248e5b64af58d224d
SHA512 932f00238d2dce33865a282766979b293996678db63445cc65fea425d079f6e9b796483c49f1c845757c57c19a5dea91bbc9baec3c87cbc3c368ab29b2884408

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 edde24f016cafb70e1148c10f88e7560
SHA1 acf933823968c802f3b6a9b61f95d3bf002069c5
SHA256 98065fe2c0849da8e58b6d520de51bd17a8dfd0240d1aeedb2ee9e120169fa8c
SHA512 aef9ab2eba243e3148e27766773323b327ecffcd325a4d20f8b7e47e4dcfc2b6c9d0f7c5f072b18341716ddc2a476af651a9f724ca3e9f91d4e1cd92d4531a58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 db319f8906c38a72f14b138dd88a45a2
SHA1 b4cb12df94b713fc5c77f93511f62d3a06f8f217
SHA256 194c0c7a145f50f1daad2f937ed2afff8aa800f7b8df279c8c8ba34b27a2b721
SHA512 a99491ddd92d0d3caed63318bdbaaaec120005f59d7293d5dcf685b2a1b2a827943e7a557c8d871aac3e15403f50a8542db5627898c9b56847eacc68bee25760

C:\Users\Admin\Downloads\Unconfirmed 229805.crdownload

MD5 0b3b2dff5503cb032acd11d232a3af55
SHA1 6efc31c1d67f70cf77c319199ac39f70d5a7fa95
SHA256 ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b
SHA512 484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6932dc16b85579585b3dbfdd031d232b
SHA1 57a8d8416c68fb08760d942817f43dc6abf4124b
SHA256 7ac103ec0c1b3332a0b556d5b23c0f709e0abf6cb2313f868c9746de12e3e830
SHA512 a511b01c7b321cfcd5ae90e2678b112f249f78b36dbed53e40147be5c003b73134569ebd2384a54f12f267caf773baf7cc88241cabeee6d85b477543d59aeb94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0ebefca526923bf5ee9c029ea78937b1
SHA1 7e944780cb108c6e9bd7706b912f716e9e427bb9
SHA256 3597b757ea2c32aae571ebe85d58693daadf91fbb17b81431083040e166a94cd
SHA512 3d8b31401203936dddfbef9f08cb3c8b058f4abd78494d2f2650d4e7af470bef0de397c422d90ac7cb950638f22b260c5c083eb973349e98615ed974a09fdf63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0e8ef5df9b90d9877b0953ce6e807918
SHA1 57eebd375d41ebaab9ec79938f8c5146dc42896f
SHA256 7158b528fc952c63eb753345424d453ed22e7e34b57c6bef19023072270d39d9
SHA512 054187c48b3d7df993bfcc48d45e21583181df0b598170ccb568c86e8a477f155aeb9e35ead7be617138d4d23b919ab2ead96b359f0e9e5bae57e039a44df6c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8f7f5aa17dea9d12d672572a60999cff
SHA1 d51dcf70c1b69a7283e57f3ef57eb42ba33cf9be
SHA256 cf6b1bbac7b8ee53688149bc9fc368514f9e1c9b23bad2834f9dec37a5e08322
SHA512 36f40ef47e30880118c560ae381aca1d4f31fe12eafd1ba2809cbb3a69819026bb43830dda5efac0b3bb6c7dadaff5512db47116d4f401566cfb9d9c19305bb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 913538b52407a309debab09f3eed6687
SHA1 49ac89efbf5e0daad0c7b087b671ffb5b5dd651e
SHA256 03bd849ee4d9c066762737af7ff6e670526780945003aac81f4697c96688511f
SHA512 39a361b54cc09203de964c73441c59e0b204de3cf9270de7ffafefeaef8de6f1e408c4bbcc8ef5d9870daf48f0ef516ab9b12cbe94e22ce3df7cbc99a38a0f3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 bec8757676545e59e6a6b9d8321160e6
SHA1 ec71b77f8c792b7bdddd29e4e0d575750299654e
SHA256 38c3d4dd4df9788fbc7071d29bc754c8067788a8dd4ea0d4a69c0359ebfe5c1d
SHA512 56594d3cd83b3e4f10110f14b6403a7536f39e66baff550b328fe8ed04bbaf683509f4974e65acb890449edd229f0b3d2546c0afc9d6aef8e32b71c3bb4863a7

memory/5744-529-0x0000000000400000-0x0000000000464000-memory.dmp

memory/5716-530-0x0000000000400000-0x0000000000464000-memory.dmp

memory/5664-531-0x0000000000400000-0x0000000000464000-memory.dmp

memory/5664-535-0x0000000000400000-0x0000000000464000-memory.dmp

memory/5716-537-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e121e0b4f31e8101badd2615377ddf64
SHA1 3fdf81bd2ba59ba6d3f61fa257067c81cbace651
SHA256 54f38e0f434101c468abd39b7c7fcb1e0883d524e7991ae723869c2325632bce
SHA512 8e6a8f321a8eb0ab42f8c757343dea97403198f9d0f2308e9e18dbe35b6071c2e396f7c3b3d065cf7a2996176230adfdac5d7e6e0a693cb604526ae9c088372a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 e42eb6b987a46c895dcb7fa84dd38e61
SHA1 a23c3d5710c227aab14b5c6ae1eb05b0a537b8cd
SHA256 2186cf3fb1356149de2896f8c226cd09ae6de2d8986c738ff0719dd23724fe70
SHA512 6b03b465468a56be7df4b68743de0085b32c8974ff660ee9950158803ad3f8ba4a0d857b5ab629a5c80ec49bd6a337392723a4045fece976783ef72d00ec8008

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 00d3d8c94efb0f731986f90a1bca4e9d
SHA1 a8b2cccf7dd8ab9247b4b2f214c8c20ee5b2721f
SHA256 e623dfa6bd8ff7d712c5a5b4a691ef5f29d940e701dc4a51e0b33cf6391d1906
SHA512 ce0c66239e7261670ca43870b484444359653ea38a1e847b5060cdb94d5602a3296258e5a567d5ca0023e8a8debe80ca29f49f99f26814ab4bf84177fd558289

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 08248433e69782b50eb0208699033022
SHA1 74d73966c6600330a7196707e133896065e524ee
SHA256 20239c50a6a10301524ddabbfa0b86142102395bda9dac871087016b370a8af7
SHA512 f0758d8cfb9baa72a8be793dba85718fa6f6eaab67759347d6c1d4dd950907820f42dbe9a75c1de2ffe11c14eb987f5791dd50a35afc0cb86a99b0481507ef76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0809a3ff4eea3c3c72b8eaabadc0c1c7
SHA1 78abd2f6a3b697f9557034348de409a4d12a6c9f
SHA256 f5295d6f313a158005ea2e7b5d9cf82119383672894b5934d4827b1ddc4eff3a
SHA512 cc162e4c2b5da2fb0099ee8dfa26fcf598ba76ea3cebb3266f29ba537247fbaa85aee2390e079310b26eee7031d9e7afc82533593938c269bf056568de07147a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 adf2df4a8072227a229a3f8cf81dc9df
SHA1 48b588df27e0a83fa3c56d97d68700170a58bd36
SHA256 2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c
SHA512 d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 d2610a5d8eb0910f15b4d0ba1db62ad1
SHA1 a48324d4034a4aede07736a1e1236edc09f82109
SHA256 30cfccf9517449b44740afc542d5ef80255071b5fbf4f36d767bd479dec3fdb6
SHA512 06c3abdb2ed0d6b9ab1f9b2172b1ac28862a8b27abbcc64250aa43302792cba76a201b2b1a180159a50658ba34657464335cee2f2cd8511e34133657bc1b60dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 54d2c504f0b710269a13bad34f552abb
SHA1 7c79631be828cd1fa04030b63cf9e23ed29571c5
SHA256 34acf086839092fa81d02de527db37c38c72806b7e53fdab9a50570cba953e47
SHA512 83ee68e560a33c5fa39527e1661a30820ba22b2c617a4ea40fd2f0ffdc44c167f1c91385e7aa3308e99cd2855e6c47cae2c9495dd386b3f8135fcad722f0b267

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

MD5 58795165fd616e7533d2fee408040605
SHA1 577e9fb5de2152fec8f871064351a45c5333f10e
SHA256 e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e
SHA512 b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 49c6dda5ba5ffc7b329452c2c41d3502
SHA1 2cad141756d68d1aa751d25dc8deea0803de98f4
SHA256 a9802cedd8a56ac5a6d9e5a993e538087d27e5293dd2bc35c05de3e920e6608b
SHA512 cc4e408675e19fc77289b27ec633a78ba6d4ae3de5e53fb5fab47b902fd3e5b66178c65b63cc720fe0ed1e488ba5b764e55ae00d63545974cce1ecd7b86b195a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

MD5 0331c4b9117ad64f519da07d6822f8f4
SHA1 56f803ec5acfdea3657683ae74206dbd5e4830cf
SHA256 6c26d9825e9af4516d5f48e2705312eecd91e7e0e466e00862639f96d63f7806
SHA512 0425f0bf078780d5f313c4bf1b023a648ee896d3f9f767d021483ea84ee4c384988532a76ca2bfc67ad3da068b789b25ecec021826377044faf2c7d026c477ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 57b961b6ed91dcf988c635a4f2edf14d
SHA1 e09bab269f469f985ee74ffad534850a91f1d8c7
SHA256 4cdc94f52ae5dbf184ab540375d5e76ae9360745affb08e396c49843a8c96061
SHA512 018f7f436517ff5af76751e0962232004d1c15c1cf6ea75ad62dbcf2af22468cdd6a399e248e0d4bebd4bca74d73cd35e2823f802aec9707a6bff7b1cc00397d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3f96c4ca1e250304b9ea2bc4992bcdd0
SHA1 f5ad57c8eac3147f7783f5f3d6046c9061fb8eb8
SHA256 f311fa8879662cd637ac20f6296a63b779162842e377188e9296d6063c82bb08
SHA512 3461e81c6654b472aa9e46067776e9fd2500062b2106bb4226e7c068ac0b0b38a54972243dca29f9504f6b24583e3ab9807d7646d92e9be8b37693cc83ac539a

C:\Users\Admin\Downloads\Unconfirmed 864767.crdownload

MD5 a56d479405b23976f162f3a4a74e48aa
SHA1 f4f433b3f56315e1d469148bdfd835469526262f
SHA256 17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512 f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 83a0999cac82ddf32a5da01309b2e3ae
SHA1 e9770e4ae72835738ff39986fd56e463ba536c6a
SHA256 63e183d7c63ea220259aec271bf6a2de3498a01589a9a38b439a5da4135d241a
SHA512 0047f2992b3f5629d31f228203f6b167228f930f82572e2813d91736c205bc13741ee5539726fd5f7c79bff3d80271b04bb760005a28bc900b7284339b073359

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d9e81f03fabf4a257bb5f380d9d1fc16
SHA1 be3fec865574d2bc285164cd01d90d0c28c9c81e
SHA256 fc8c2896aef2c24283f4fffec242648b764bfb68cfcabc1b1a9e96ca67dd7d5f
SHA512 74c99125f4b80b3d2a0af5b41209b3463d10c1d5bf24cc3565aa82f7d53b089deaac3f9fcd695b8dad54826540cf0006071e67b539f5d9ca272a7e5f423aa09b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6657dc1e9a4d7128dfc7413d0076770
SHA1 59a5c18bfb88349920b23724b3ce1cc8f8fbc41a
SHA256 0addce645eb6ea7fe259210cb01fa907ab3163a83ce1d68eeda2be444522be74
SHA512 dbf131c39a457916dbb6a4dd5ea6bae5111f137bd6494d367a58502f22075f50f223145a87f3faaa24a4c3c6bac5b9dc42fe756422030d698d645ee63cf042d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 68c37e1a1fb708f1dbf8b5533fca4c33
SHA1 9939e8d8c6bc5593ebeb8687325fc1e4ccd5e5aa
SHA256 083471154505a9e492172e5c1192c830c5020cffea822ac482a56e8bdbd85211
SHA512 5572063e642153375ade43a67fc12af286aee2d7c292ff9665835e527b45983a82c9a1e8736e29b9ec38199cd1c918d4d3a7499b764b76c8cd20f4f018cefea2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6bed5b7d4997bd56aaef6ffd5e9b884f
SHA1 d19f3787baf081087000025572269d2552c02e77
SHA256 804bf4df0cb4e13e41a0173c384cb7d9347dc699de41635881e2519fb1489e6c
SHA512 ea4051cc15925c67c4d80dabad566f23290d7c434f5c8a2a9910df3bad3b8197dbdd39a73808b696dfb21b67a937f7216e36d141b4f378e7448932b19a328927

C:\Users\Admin\Downloads\Unconfirmed 539206.crdownload

MD5 cce284cab135d9c0a2a64a7caec09107
SHA1 e4b8f4b6cab18b9748f83e9fffd275ef5276199e
SHA256 18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9
SHA512 c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0b060330460f7ef593c16393040bc9d6
SHA1 8d446f0d79656412fb283efb3ee69fa6ddfb02db
SHA256 50b50876a9448418a718de889bcf767f2c1fe2c872313f67fa59cec1cad06b5e
SHA512 cc684f2990bd194775afcc0264704cb81eae616b642298cb605792c81e16572a535dc91b537e8085a79e80b3a763a1e94e14313cd560394f3b831544f84219fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2affa4a9e87fb4c14fc140676f4e3a9a
SHA1 afd0d196db6caf60bdfbb72d8eb8fe5879ec1872
SHA256 66105f4993cc1849427052a78f8cb3314e5b906b95176b9d3a2a92fa5fad5290
SHA512 217edb11e6324fdbfbfe07d15eaaded33e17cb2f5b93d4afbad640cc6c5a552dc0f15e5adc13b2f1814414256cf48066a13170cfb4a60a8c0ef0a16513c0cd7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 292d21821a81e2a4963fb5a677fad6f0
SHA1 90d339119eebf65f5e733e55d22c1028083592ad
SHA256 aba45000cfd7f993f94b4fe9b43ed4ed346384e03a1685cb19c0170e2454b87e
SHA512 06f1cd31b103f4bd736c1458d6f29ad2b100ebc5dbdb34c67fd8c94aeaaf0a35c9f0bee7768fc0e774a66fb05fa07c116f4e8f88627235f65028b45b2c8f895c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6826ddbc090607cc175b5e19c202fe75
SHA1 fc8b09f4233aa4a8ac04454699572245d969a7a8
SHA256 5088e6e62ef125600c95854ed87b59d44cc5cc39008cf163238e5fc4ed2c234a
SHA512 80465e4c2ac2e40e2e3a1c766307e90c84cace3b1cdb122a15f0734f54621cb02e39476948402a2a083810cbe98a033892815cb1412b9e907eed71822830dd2c

C:\Users\Admin\Downloads\Unconfirmed 362658.crdownload

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Users\Admin\Downloads\Unconfirmed 362658.crdownload:SmartScreen

MD5 4047530ecbc0170039e76fe1657bdb01
SHA1 32db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA256 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA512 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 41585dee63c95d62733e88fbee00c5de
SHA1 5bdb0c0333a2907fccf598f1c2e81c52a339ac32
SHA256 a7ecaed1290e245f838e4e45c8de5ae2bdaa8b9892027a9562b9914ae501cda1
SHA512 a91dc379f49871a4b58969487a3348563f4106d7eabd4addeb52a24936a3ba8915ed0380a5a2d601cc42ac2044fd4baf445359df1f747045b8d529f27fc0eff5

memory/5728-1129-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fda098ede906edfb42c9f1a8258197aa
SHA1 9dee53af0a264022c1d8cec8797866d0bf0168db
SHA256 0d306f19b6d09a69c95fde36dab3308607e671c272fa079c8515b804123b75e9
SHA512 4ef9953816b153534b0e26a716d0385981c3bf00d0d5806352b7d55a53a7aa6d22f28a39bc6f1f7daca8454a6f7dd77872368bada3f153d9518a0c317167fd9d

memory/2884-1155-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5728-1160-0x0000000000400000-0x000000000056F000-memory.dmp

memory/4484-1156-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5728-2356-0x0000000000400000-0x000000000056F000-memory.dmp

memory/4484-5123-0x0000000000400000-0x000000000056F000-memory.dmp

memory/2972-5134-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files\7-Zip\7z.dll.id-5C134D26.[[email protected]].ncov

MD5 d85ec597fb2426f330cea40f02a35c30
SHA1 2ff270c680cec1b98ba4516e29900549f62aea68
SHA256 0de5d0e211886e9c4255eff5360a7362d72e9ec3583840cf42419ea8c02ce8ab
SHA512 7e43c54d464a2e70b7070cde42db495cec4d8912fa84ba17d6789bade75289ad8e3710938e8edc249544449d0df9c661d24addceb5c208538c2080fe399e7ab9

memory/764-5404-0x0000000000400000-0x000000000056F000-memory.dmp

memory/764-6874-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5672-6872-0x0000000000400000-0x000000000056F000-memory.dmp

memory/2884-6871-0x0000000000400000-0x000000000056F000-memory.dmp

memory/2884-6892-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5672-6875-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 81a4d953fb226103c1cd179dad31194a
SHA1 f20f42dcf7a2650061b3e4ab62b3f44a0bc2f0b7
SHA256 dc7c2a36219d979c89addf1a29569c478fc4c47858c147a50bd78fbed0342d1d
SHA512 f9e98360e91a48f94de57e255b0cf0b4891a02ee8498c06c6c937e432ffb722311acd31e746e1bade5a9a0057f87e56912ee616c5e0addf1fddc277169c1b7da

memory/2972-5271-0x0000000000400000-0x000000000056F000-memory.dmp