Malware Analysis Report

2025-03-14 23:59

Sample ID 250226-ykxqbs1sas
Target jjsploit_8.12.2_x64_en-US.msi
SHA256 c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05
Tags
dharma credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3daa5b6503c601bf868de990dc5fe055c266a7cba6e269115290c37fb8a4d05

Threat Level: Known bad

The file jjsploit_8.12.2_x64_en-US.msi was found to be: Known bad.

Malicious Activity Summary

dharma credential_access defense_evasion discovery execution impact persistence privilege_escalation ransomware spyware stealer

Dharma family

Dharma

Renames multiple (671) files with added filename extension

Deletes shadow copies

Drops startup file

Credentials from Password Stores: Windows Credential Manager

Drops desktop.ini file(s)

Downloads MZ/PE file

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Executes dropped EXE

Subvert Trust Controls: Mark-of-the-Web Bypass

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

Browser Information Discovery

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Interacts with shadow copies

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-26 19:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-26 19:51

Reported

2025-02-26 20:00

Platform

win11-20250217-en

Max time kernel

528s

Max time network

526s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US.msi

Signatures

Dharma

ransomware dharma

Dharma family

dharma

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (671) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-112184765-1670301065-1210615588-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Windows\System32\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\generic-rhp-app-selector.js C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelAddin.Resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesBadgeLogo.scale-200_contrast-white.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintMedTile.scale-200.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforcomments.svg C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sl_get.svg C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-256.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\ui-strings.js.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_id.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\ui-strings.js.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_sl.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125_altform-colorful.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fi.pak C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Reflection.Emit.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\WindowsFormsIntegration.resources.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherSmallTile.scale-125_contrast-black.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\ui-strings.js.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorrc.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ReachFramework.resources.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-40_contrast-black.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PaintStoreLogo.scale-125.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\SnippingTool\Assets\Wide310x150Logo.scale-125.png C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_mt.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\psuser_arm64.dll.id-C0DFEEAE.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 2928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2288 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\jjsploit_8.12.2_x64_en-US.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff887583cb8,0x7ff887583cc8,0x7ff887583cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4828 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8180 /prefetch:8

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16856260110255902082,18293793241490320922,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

Network

Country Destination Domain Proto
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
GB 2.18.27.9:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
GB 2.18.27.9:443 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
GB 2.18.27.32:443 r.bing.com tcp
GB 2.18.27.32:443 r.bing.com tcp
GB 2.18.27.32:443 r.bing.com tcp
GB 2.18.27.32:443 r.bing.com tcp
US 13.107.21.237:443 rewards.bing.com tcp
IE 20.190.159.0:443 login.microsoftonline.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
NL 2.18.121.200:443 identity.nel.measure.office.net tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 104.17.150.117:443 www.mediafire.com tcp
US 104.17.150.117:443 www.mediafire.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
NL 142.250.179.170:443 translate-pa.googleapis.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
GB 18.154.84.60:443 cdn.amplitude.com tcp
NL 142.251.36.46:443 translate.google.com tcp
GB 3.166.49.7:80 crt.rootg2.amazontrust.com tcp
NL 142.250.179.138:443 translate.googleapis.com tcp
US 34.223.170.182:443 api.amplitude.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
NL 142.250.102.156:443 stats.g.doubleclick.net tcp
NL 142.251.36.35:443 www.google.co.uk tcp
NL 142.250.179.138:443 translate.googleapis.com udp
NL 172.217.168.196:443 www.google.com udp
NL 142.250.179.170:443 translate-pa.googleapis.com udp
US 216.239.34.36:443 region1.analytics.google.com udp
NL 142.250.179.138:443 translate.googleapis.com udp
NL 142.251.36.46:443 translate.google.com udp
GB 2.18.27.32:443 th.bing.com tcp
GB 2.18.27.32:443 th.bing.com tcp
GB 2.18.27.9:443 th.bing.com tcp
GB 2.18.27.9:443 th.bing.com tcp
GB 2.18.27.32:443 th.bing.com tcp
GB 2.18.27.32:443 th.bing.com tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.232.107:443 ia902807.us.archive.org tcp
US 207.241.232.117:443 ia802807.us.archive.org tcp
GB 2.18.27.32:443 th.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 51.140.244.186:443 nav.smartscreen.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e45a14e89fdf82756edc65c97e606e63
SHA1 42ce594393a4ce3b4e1c79dbe424841bd3f434c8
SHA256 49af9d716c69fb93ebee18e708f4ceaab99abf505abcbad1bd46c60ace03da9f
SHA512 6af0cabb253026d7613065e7274f8be114fc2cbd0134e8d518a417bf4b2b94ffc8b9c05be4e47685ac6d7246e28c11a86852ee4b6e934bf6c6d56b6c97428425

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 825fb95a70bf7b56cfcda1f118800f98
SHA1 15f1e212c1fb567c70ff4f716a4bba81f2857e0a
SHA256 2280c42f8ca4302a1d37d63532e3e981e33b596e3b2e930ce40b390dc0f09104
SHA512 987189b84f58e5d64b662f80f47ae797bcf46aeba86584cc17afabd2f25885a4cf48d80400154ba22eeee1131b84f882cd1998d1686ee12013218f52049bc6d7

\??\pipe\LOCAL\crashpad_2288_JHDPTDADCUWHGUUE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c08339894fa15ed729431dfb1d17f13e
SHA1 a45c3bccb3cb3a1592c0974eefc4ef73b9abbd44
SHA256 71f095cf4970d09d4ba056286a2e17f96341dd447bcdc75a0cf2f65a2ad50295
SHA512 c0c584822366953b4970757f321bd10e0a136030d82f4fe4b12ca71b8db2ac3b7880e7c3c8b1cabbae3e2e0f206d8167603732e8045cd308260c177245eb58c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 db8eb6a5cdfbf7502dad57e5e627ed48
SHA1 403e0a4d2e83a28296b070442f600a7f06b4a44f
SHA256 a7b996807e41f890507fc5c3aa881432e709310e9007f01847407e0b012a1753
SHA512 ebbd23c196a6e06962982bbb36b991e6fce9fcd13574e1e513139aad0b3a84edb2c1adface6146e1819fd9192d38e0256e9734d1927c91a50b118df396bda322

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1c30efd81a05a91ed1147bfdd09f53a6
SHA1 4718abb83f92a4480a0bc2c8ecabc4215ba7d290
SHA256 53ae3db7f96bca39959e8bf5c322d92e3c787b6e511f86b0292e3f303eed942a
SHA512 42fadcd6b85290dabf91d3d9138dc635a8fefcd8701f900d2baf6e1b81a17f962f9abacd1057d033f03b0300cf9c780c5d3e392db2be6e0ba19f8895f4ffb7f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83160a27525b1133f2790d6015073340
SHA1 b3a50ceefd27d5e5927cb221a96501a16f3842a6
SHA256 0216f0c0d1bdc90e79344c5903122e579d9a2dbf9cd49aa5716a7b39c7e51823
SHA512 e895581b8985e8ff0751301a45f5c74c749219232fbe538221235542001f1e092dd9e8b4fda8b944f8045f7daec36ad570a5a4a1d4748438a294958e83cfcb92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581db4.TMP

MD5 6668913303ca3fdaa2c80d2237aa4a04
SHA1 42e230d5b71e88cd0be610ca7ee90e51928f59c1
SHA256 95a14357268e91eff1785e5ff2efab4769d572e2d8d49e7a8485f2245a79fcec
SHA512 5c76d4b0f78f19b16f7715849e1ade2c94687b974af9792ff6f437d7089192e12ec2ba6a38f5021b583551673808c3582897addcd487abe5f8c97e75573d5e5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2665a45321fa946e00683d62f7daaee3
SHA1 e0130a7ab612aaf1e9eb4a2fde8a85c21acd30e3
SHA256 24a9e5c5cae220c0f4fbd91da2e4385df890264325399490f74d9d677fd83a4a
SHA512 8d7da511442d7fe6d90a7dcd9aa4de8c2b2c01dd572f62d90e8d7ab4c933370a6f444b688272a73c4dcacc2e9794e987f5e0aa09d3e85298c295fa87c0467d33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1521838a1c11dd7ddbb9bfa80313dd84
SHA1 b0c15c259fcccdc8943b4b02a63d3bead4347b4b
SHA256 60ccc145c8d82e1a7525bd8c1d08a1abdf8cd81092aac0f4317444f289add209
SHA512 1820d4de53f3a07f263b02a31c1c2c19455741734a88b70c3fbadee0b5a7721527bd9476f7bdbc23e220d091d7fb7c954eb2f5e7a89d8622a84f8437831635c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9c137ea24e8565dd6ff577009581080f
SHA1 85f4385b9129d86ad907a5aa030381c8e5736790
SHA256 542f8031fbe0605de03dfc83c7bdca96554107bebd776207782f80a1009ed552
SHA512 d2c2cee68e93c01f5b19701fb23a20d5039037a739270d76feb36aaad09bef62a7bc84cdaf944cffad69ce2a49485b4343ffecfd26426bbddc28fb16499f4076

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 aaf8c21a201fd5e801935c1104481f6c
SHA1 4b3168ab9b59b2d09146cd14f6292cd562b3c0f3
SHA256 d9bf343783dd1d526b39f1a98882c64cccf50b61da929cb0bcc2c0542ecbb43c
SHA512 8ab05675d08a0f2370cf129693a84b37baaf1cf27d16d558e5a0b069eba3a5645b5ecdff0a75890ace90fa14004d2ef6bdea2dde5b697883e8a2a1dd93266a6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 23a19568e86790b5f3e2a5db84c76ae4
SHA1 67b0dce058375b04a50b35a6edb7034c9bb8b0e6
SHA256 4143323d803a8897f5fd5c9184f66c58ae0142e63ed3dfa7e99d996c4399fc15
SHA512 ca6ac96d9d904da1d01c4651432a4269ce1cf7ad6a605af4cda42b4274840402cb16bd56aaf959168542edbd4209ffc5a94726c9450440624b9a26476bcc09b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2944dfcf8b744424427922ae71ee72e5
SHA1 2495dc3afd251a1c324e93e85980d3b68b80e32a
SHA256 2a36d90c56826416b3820eee343e98b3a701574366af722bc25ee261218b4051
SHA512 dfc5a3ce92b40d9c5f1d3faa15c6f23e68e6ff84887bd43d2b2fb30ef798f42ac515cab5b26d117056a9291c40270f1ea2c74650f95cf8e1612e0b2b27a0ee3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c5da62373fd170b067996f3cc0a0e663
SHA1 a1b8c697dd7f3ea3d10a862b907d28b7186c6f92
SHA256 7cbec1a7c1b15d809bcf6c1a784ceea730fc539c47942819b0529971a5916533
SHA512 3f3ebc35c5394ebc4fe0c2927c2364f68f522b2232758ac9181aeeddd1796f5210c8be1a3e98fdbdf8ffdaf401609f5c5313e68e5ff904cf832385aef5dea494

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 da27b802023a9f5813b23854a65c09ca
SHA1 ac85a063ba06bd056f80cc1f3be999e9ff053fe1
SHA256 8172f36f6dced80ab6d5e907e191b4700646eb11288295a58472d11172d21f8f
SHA512 75d1b602e8ee92139f5ce5e7ce7b9290210ba9cae0f0d609997f78b0fb69c33a75a2f3340984d4acf6cbc0440d396dbaa06b5078f754ab3574c7008dada1c8d6

C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt:Zone.Identifier

MD5 0f98a5550abe0fb880568b1480c96a1c
SHA1 d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA256 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512 dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt

MD5 49f5ddbf0748e69f30a2909276418311
SHA1 c3205cccffe909f2a60560d6179cc096d4907386
SHA256 1e9637fc91b1fe4a13401c4bbb1919f0fc951c55b8d120df51854df02f8fcd6d
SHA512 dc741df9988212c362315d82a686dc0b4085890cdccce98bda8ec617a671b737f954b4530a424816cf5fb3affe3355022b1b1acae16fbd7dea33adac7cec80c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 aad49ff752a12d25addca1b15ead27af
SHA1 d9289905109fc1925cc510268f8ea0fb4c2ef77d
SHA256 b6caff8982d742744bf4bc1928c2a79c4659157e66e9a7c45f7cf65565cd9132
SHA512 283807f2415c252d92e379baf4a6eb6d3d66cd539bdfd6adfea72cee78de933567f70fd52f703bb8fca3524650eaa6324ee59bf823a256301455116301a7d7a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7e0dae6f239eee199bfc9f8c9e8f6576
SHA1 1abdc5b1b78ab79f7f3a5110d93d6c34b6d0a25c
SHA256 fc5ca570aba124ed5e9dc8f7594df4b3395c4dbde19f277d91f057c15f74cc1b
SHA512 6a014384d2d5870fa3539207b2076f536b57b2300f857ea29cf7e347613392cfa2001d975ca8aa7ed5a348a71b9ab1dcaf45e49dae19a42259e71729072b1011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d5e4f37f94dc535081b3f0aec24e01dc
SHA1 4042bad6e3cde70681815de1c4f3b79dea7271e5
SHA256 24c1156eaf68bfb5be569bed4f543754ab9a6dc4261afb6a1ecfc2a33b410c9c
SHA512 ce3bb38dbb3b708ca97d65cf9488be13cdf6a143efed4510d19eb66b98da7349240ec568d793533e264aeab9ac36f2dfe529b2a5e77edde45de35072edf91ec9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 901bf3118d6bc1c7d515a26214e38d3c
SHA1 798cf2d2a2ed1b0774d92db0c0da3a095641c3ce
SHA256 1fb8b2ab3dceaff64e968d38de14d2e4d449a1835e2dcc9b7bbec793153e637c
SHA512 fb4206ba9aab8c702ab916866238e774456cb935bd71b6317d4469890fa7b281925c514b2fde2cdc869cb00f40878b4b1492eca4edab9fc63e8da9c93162e79c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 226541550a51911c375216f718493f65
SHA1 f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256 caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA512 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA1 6dd8803e59949c985d6a9df2f26c833041a5178c
SHA256 af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512 b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 c813a1b87f1651d642cdcad5fca7a7d8
SHA1 0e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256 df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512 af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 73c52c814a005a48e77c6b95037bf608
SHA1 678bb8f0b67d4cfd3eb394f2aeb449269e02941b
SHA256 a1cecf47e5894ee9eb6b90503b2502706cc9f7c2b5e0d60ad11938839c0a090f
SHA512 681f08bf143cf15cc7c3ce6ab8f2e336bbfacc14ffe3a194c7ebdfca0dcc06c4ccc349497a95274f860f0673fd9e00f7d131edb5612c05d35ae38dffb96ec37d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 02c50240d6ec8d81866308e106764bf2
SHA1 01086aac9610f547993bf7e771529c81a3ca210b
SHA256 7cd9106d6ca5151bc56f4dc53495269f3ded0999b5001ed04c6d4727c462382d
SHA512 7c3939322a2ff4882f89c35924e74c0d9a22882bb12f4aba0c0f4be279db66d080fb2a2e39bd79c1fba13570660013469ae81a7698fa738dafaf6f3921b19904

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a98eea430b25b2619e7a4d3ce94eece7
SHA1 1c362cdc1b98d0608e2e2aedf172e13558809696
SHA256 5fa1e92576b9e9b75a50e7a5f483a142897c8ef0685c59cb55022f25bf84f891
SHA512 c0e2c273fc7400d398ad0d9ea264920747c46c37283da72f044f49d70f27d2cd8fc14cc075ea3a391186bf5cb086edfebc059ebeaed6accb9d318bd3b266433f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d121dab622b0d540dbd374cdf0f51902
SHA1 a8e1685df019d4ffc2e36227f09513028c79a5a0
SHA256 e05eca186c844fbd038f43852a1ceff1e4a5c223397633de3b69a6998c706c82
SHA512 2963450bd3be28f0a3da3b2449c61db237e5ae207b0cc7226341ea2aa21c75aa0124a27478c2e38902eaffcb9dedb74b1c2240ddbec28e30c1952bafa88abcf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b1a297bfb03ac39df299df6c5e1a612
SHA1 aa5b9bcb330e2d42a97a11cb2155e135e569845e
SHA256 c45b70b65af9152f765eb1f2b1e8e0cd1687ad44371c9c97223b494d6db7bcfd
SHA512 51b2e807f72d1976a17d0a121a9950a850c6463f917bcfa568c421190cc0a79eab2925009ffd4e1fd6d8544bde85d387abb84979e72c209699b58578b7296215

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ef2926da02d8044ea96932289f8f85dd
SHA1 28c6581fef0ac20f399243ee2c4d96e2551fe15e
SHA256 9bf36be5132916cf9166cad7631d51939fee947c91d37db277864b72119660ee
SHA512 0ff751de2e6e4f1a92dd365985b07880c9e38b1fdb623686d5ae71bf32b233d94538a3b9d51fdbbf89878cc6065cd500c844617b909f9bc08b7682dc20568100

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8d3992f5ba37b193912fdbfc4a1c0ff0
SHA1 73579689db4b578ca4a095daf03bf1c444cad0e4
SHA256 2436586dfdef6f228b611628a1a8b02a96fd9e10ddf605c550b589e3201adaed
SHA512 761c255dfac37d3c6ee5cc6799b0b18ce7745053ff7d6fb4d113b5f7385b47748912b3407d5b2c304dc61ea2bd314b584552430f0648bf82c0d6ce5bee5018b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3af3e9d780d5680484f5b7c590792695
SHA1 200b5466618824d003e8951d6a3738dcff188a1b
SHA256 083397dfc90b9f5b5bf4bf1f21e74143cb6bfb1df1ed7e531fdf0d9bd34bf460
SHA512 0ce3f724e3536bd525831f568fb6ab491531e9043d9be56720415f5792b8f11397dcb596ee4028cc52a21bb1e69df8eb66040ff2bb58e034018cb5b4897c0116

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1563de346cb324ea51ad526ab47abdb0
SHA1 37ecec1ec4dc5e1398cf4ea4205ddaabf2ef03e1
SHA256 7030b8813b4007f8efb8bcfa40e32f5ec283eb100fe020db9a1eceff2b419de5
SHA512 61b69fc508f611562281348354074d8f0a8867e088b8162ade125222b2409c34485eb0bde2b379207848b8f1e93426622c1d8a8df0766572beea80c11486f889

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 45ba5a6e024d3156f6ac79e38a492c3f
SHA1 f7cd1986ef77cb6c4a3a4ec84fa599bc91de92af
SHA256 90bd76c02d341484ac76804226351d976b79e9aea35d84132b745c823b0a5609
SHA512 a725a59b97b488993aef905f3c8e1a14a50ff4e02862cb59543a7ff4aa9482294ddcf2c8976a163ec405ecdd1542e5dec3123a5784073971aec19c918ac5f0cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ebfe5de7a8ea5ac36611bf0d2c23c051
SHA1 24e0a343c768c0ff98ab8364ed932ee1392f7b70
SHA256 904da9a3830b8baaabc932b415a22d9c29945a7fff0d73272a70c0de77ea305d
SHA512 0edc2637556b27174c9fa0a0bdb6ee71107dad17437d9eed15a049b7b9774b1b1461065aa482d2ee96315ac2b6f00adac4d9b792eed9ec2d691bf5830c492113

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

MD5 f593cce72618e8b8cf712e2f7f27e25c
SHA1 886da22db56abc67572951b2388b78eb58671299
SHA256 3d9f3b97330e451de407d7254351d9ea3eed3aebc60ef503666eac8e12720e12
SHA512 8ff617dca4672a54ebc8191fdbd4e0d5520bd9fc9a370a0b88361a2e03fe117f2dd4576decaa9b055ed37ed9366d56fb907bde4440c5ba6b8ccd5625f5a5805a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b5dfa0380e37a5fe104d5b3ca17b9d87
SHA1 5ba3c56ba1e0f2a4a71911ad308af5687dc332e9
SHA256 b95ae883e971d01cabc751e7458dfc46ea3096e56de42d6a9f0f5fecf4116a96
SHA512 e7e8453b700a4af710a482f37f048f267bb41bf32824d7040a0531085e4e8d40afdacc7bd0512ccd3f209bcb57e5d918b60cb4ab41e3280e89a46c7239aa7318

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9c281ba094204b06dc009ff78b295a28
SHA1 1e2a3f2a258ccec477ae7d4f2a6060c7b3daa299
SHA256 86400430cab2d3e8078f40ec5b69e5f08237103deba6eb698e4ca31458904e7b
SHA512 be6e1f0a9f0248bed02da1920fe714ccae8f3f975a97bbb0223e6a396bab8ebbfe0e292e27bd30d6fb6ce9013400820a1283f20d6b7299ca2a61a052237da566

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b0e1e113715eef556c601292fe85e6ab
SHA1 cd537d1ce326b16c8d2e086c22b788c40e2c9fab
SHA256 eff7396ebfbff0c84fbf28551a597db5f14006cfe2c0bef8317fcb288e952eeb
SHA512 263771e06281f6406cda9bd33fb28ab9b5244f89b516a4e9ce9a5694d2e2befdfedac43c4dceaea7bb7074bf4267f5b79b4fa4cf0caf71ffaddbd71c39242695

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 524bde5bf5cbce551d2bdee2d5bf174b
SHA1 7c93b46df1509e24dd447c196088be2f96cb0fbb
SHA256 9b877f1d6171ad62cad40f22264f54eda2e65f86f705f304a28e1bd1034e75f3
SHA512 ef2db034552dc8d6dfdf542488e41155ab8c23342dd2f076b9c63594e2d95d6808d4a34aaee01480cf1b7ffea8241d495831c07e93f734e84b19630df8ece60a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c20fbbb80651591e01988eb7b92db6cb
SHA1 fbe5524467ea5aadc856ec8f6700d7f8b305e8d9
SHA256 ce7f9af946dc4cd99927d881b00059d5eace6f8cfea34fdd3ab634d94272b4f8
SHA512 80d3ef5a33b8eafbf43032713713720f5ad36ef95c6d0343ca77e65033d66a28526c0a728376473c82d5ae5b35938bc3563d35f50946c8b66dfff962e7e755b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

MD5 4a1b520eff371f054944aa67c9f6f086
SHA1 20acabfb9e5a058bfd3018a2b0b496e8488e5f8b
SHA256 f2a6048a236fb323fe0f90e6777076dc4a36a42a102483f0d9e2e0aaaaa0bf67
SHA512 414c829f5847f31c5f85c3c810571476a50e0cef58b471c1c489db534e739f8b5287e3bf4652b626d6009ba66de85015605e94bb984be4d36606dc70a0fea0f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 e42eb6b987a46c895dcb7fa84dd38e61
SHA1 a23c3d5710c227aab14b5c6ae1eb05b0a537b8cd
SHA256 2186cf3fb1356149de2896f8c226cd09ae6de2d8986c738ff0719dd23724fe70
SHA512 6b03b465468a56be7df4b68743de0085b32c8974ff660ee9950158803ad3f8ba4a0d857b5ab629a5c80ec49bd6a337392723a4045fece976783ef72d00ec8008

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 8bd66dfc42a1353c5e996cd88dc1501f
SHA1 dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256 ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512 203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 783c25782736619474fc6f24f5f3f07c
SHA1 c6754ff7ad78121c0911ae165f46ebc1a9f35a78
SHA256 0a2608005b51c8d9848635f2462cc740919ed897f4a0feaee8aeed52f713db69
SHA512 30f4d73ccefe26dff351b83ba75005c1fdacd5e01800bb99fb55019bc78096fb07b92f331817c50ad67904d84f437804168a281939c0ba1aa40d995075c473b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f30bb9570d967859e63c9e28b631a7c3
SHA1 2132ae48adf7580a6022d0f77063fbaeb8040315
SHA256 1fe9c960fcb8b5bf8ec587caba3c78f0da1abd2df35c9b77c53d23ec378ea9d2
SHA512 01ab5d4fbabe3514d0bf2819b1522a2badfab572d4cfa537c335b4e7f32559b7e817ff3e1be86fcc42764c36cac0438e20c905535355717f26ece9d54d975228

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1b798f869c487aff9e70baf152d8d0fe
SHA1 4017635eb02f3bae47bc09176428197a4597b97a
SHA256 00ea9612d509e35c41e56278d3330212912913ee0003074dffa2ba51c517f0f3
SHA512 9d29263a7ae1d4692dedf2c30bf77637ea59952373dd04f3b1a50b008a5c15e43d2f914add32671a9947acb7d42368ae521fc0da84aca99c6c285df8b65204f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f94944521c52ba9a8880909f7ea21460
SHA1 13e42927dc8d6f6f64da2c11edff79e20a5fe239
SHA256 5d9fbdcdb898ba805b5a1a99ce625a3087845d3730316d9fb41474c95fc6108b
SHA512 092c2b1f78e8b5ea3915c2035854cb1bb3f0e8decb12cc77b141d76b41020f9d75ba1018025a6550825bf3e0f82fe55067c2b656feedfef40203cfb2f1ea24af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1cbe954e19cfaf8a061299ab6393a4dd
SHA1 0b41721ec646d2c12d039994f30797e61ba5107f
SHA256 9ee1b0f79b249961c3570172cddcda31f2d3f9dd104c63cfbf822f678bf3c1a7
SHA512 f51d75cc306218811172b6a32bbeea5819a44e1b871d6220df6e2600f8a80af56818cb3c58364fdbf7fa28e173a619754e3f61e40c0a49c218233bf209a1253d

C:\Users\Admin\Downloads\Unconfirmed 238752.crdownload

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d72393ec4a8c9db0c9e0c2e1fa187386
SHA1 65097eaf101b7b045ed5223e17ee3cba15718839
SHA256 971386857b06d895c0b36fe59a60f28892b099cf37c2b42322239bb9aac2c4ba
SHA512 72640caa6262d08d32aa98312389e8a56aded8944076e108c5fc930491fe4495515554fbde9fcba32758a5a71474692b700f3403d8689fcaa168fc2435518c05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ce90a4e14f0b216d1ca276c582f06854
SHA1 b5412f3e55df5e139410473cd182f22c1dc41cc5
SHA256 67c2999bd17781a23d90a6ae82d3bc7f51bda57df99f0d7f093d52d2fb06c098
SHA512 029a4b96926f43e2ca5e923fc083bc2ce32f40b2c76281afc76fb344122c5f85d40ed621cb2876a9d9289397033dbef6aa64c7ab23c516d1f314843d322a94b0

memory/4412-1314-0x0000000000400000-0x000000000056F000-memory.dmp

memory/4412-1317-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-C0DFEEAE.[[email protected]].ncov

MD5 43f56e57e3ea372183c7ffb288d1d771
SHA1 294a21b0de28936af8a4dc4624fcf1295ff502bd
SHA256 359a87354c8c41b6119494b76db27ccc2479ae5634ecf3a3de65d86764e02e57
SHA512 0522b7d1beec5dda9841984a2f5a27e4a70acbbc95badda43f32bcc3f4af5987b54c6b82c3d15313b3a9f79979ccb7e8964f1e859b6a1c82d359bb612fac0421

memory/4412-5503-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 233c2dbb3a756152754b2ccf057c413b
SHA1 f16539d4720f7751fb7b67798def127bb8ba14a2
SHA256 51a0e430f196d370dde1bc4168a35f06608628330a0f8a492cdd3c7e31d7a4d4
SHA512 4e59227af3bd8fc9cb6e65b6ffe310d54b60f7230c79cee400e85b5cc6d245b43ce3adf3d709dd835393e65b3ab5e46faaaada80925d88ab6245e68bdf849078

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

MD5 d926f072b41774f50da6b28384e0fed1
SHA1 237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA256 4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512 a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 6302a935e2e857a225fb1bd720b93f3d
SHA1 c9ca1d6f550390fe6d36d084f8d417010e1bfc73
SHA256 0267415536d027d58308b910c43bf0bceb8a8c7d50410cb7acedef8be0ab2ba8
SHA512 07d0ce16d146f6585be2ad946e43744b097fb2a0fa5cfef1d4d92fcaff98cb23d342d492ce6f69cbf29f5ff5ecee18ed534a2f046053cade86345d56a7249293

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

MD5 9a8e0fb6cf4941534771c38bb54a76be
SHA1 92d45ac2cc921f6733e68b454dc171426ec43c1c
SHA256 9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA512 12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae