dharma | hxxps://github[.]com/cchm123456999/malware_sha1_hashes

Resubmissions

11/03/2025, 16:04

250311-thygmaxmx7 6

10/03/2025, 20:52

250310-zn3lesyvez 10

10/03/2025, 20:38

250310-zen2nsx1bw 10

Analysis

max time kernel
195s
max time network
188s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2025, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cchm123456999/malware_sha1_hashes

Score

10^/10

dharma wannacry credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (672) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
67	4756	msedge.exe
67	4756	msedge.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD753E.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7545.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 11 IoCs

pid	Process
3756	CoronaVirus.exe
6332	msedge.exe
26656	msedge.exe
27548	msedge.exe
26888	msedge.exe
23072	WannaCry.exe
23636	!WannaDecryptor!.exe
20488	msedge.exe
18400	!WannaDecryptor!.exe
2300	!WannaDecryptor!.exe
28448	!WannaDecryptor!.exe

Loads dropped DLL 5 IoCs

pid	Process
26656	msedge.exe
6332	msedge.exe
27548	msedge.exe
26888	msedge.exe
20488	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3835819470-2031661444-2626789713-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3835819470-2031661444-2626789713-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
67	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsMedTile.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\osDetector.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es-419.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\ui-strings.js.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebHeaderCollection.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-125_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-80_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-63.png	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PackageManagement.resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Canary.msix.DATA.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\vcruntime140_1.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-96.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Sticky.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-20.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\ui-strings.js.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\x64\msvpxenc.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png.id-97E2757C.[[email protected]].ncov	CoronaVirus.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
30356	vssadmin.exe
23092	vssadmin.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
28424	taskkill.exe
992	taskkill.exe
2052	taskkill.exe
4476	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4756	msedge.exe
4756	msedge.exe
3424	msedge.exe
3424	msedge.exe
3432	msedge.exe
3432	msedge.exe
1392	identity_helper.exe
1392	identity_helper.exe
2668	msedge.exe
2668	msedge.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe
3756	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
28448	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeBackupPrivilege	24384	vssvc.exe
Token: SeRestorePrivilege	24384	vssvc.exe
Token: SeAuditPrivilege	24384	vssvc.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	28424	taskkill.exe
Token: SeIncreaseQuotaPrivilege	20832	WMIC.exe
Token: SeSecurityPrivilege	20832	WMIC.exe
Token: SeTakeOwnershipPrivilege	20832	WMIC.exe
Token: SeLoadDriverPrivilege	20832	WMIC.exe
Token: SeSystemProfilePrivilege	20832	WMIC.exe
Token: SeSystemtimePrivilege	20832	WMIC.exe
Token: SeProfSingleProcessPrivilege	20832	WMIC.exe
Token: SeIncBasePriorityPrivilege	20832	WMIC.exe
Token: SeCreatePagefilePrivilege	20832	WMIC.exe
Token: SeBackupPrivilege	20832	WMIC.exe
Token: SeRestorePrivilege	20832	WMIC.exe
Token: SeShutdownPrivilege	20832	WMIC.exe
Token: SeDebugPrivilege	20832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	20832	WMIC.exe
Token: SeRemoteShutdownPrivilege	20832	WMIC.exe
Token: SeUndockPrivilege	20832	WMIC.exe
Token: SeManageVolumePrivilege	20832	WMIC.exe
Token: 33	20832	WMIC.exe
Token: 34	20832	WMIC.exe
Token: 35	20832	WMIC.exe
Token: 36	20832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	20832	WMIC.exe
Token: SeSecurityPrivilege	20832	WMIC.exe
Token: SeTakeOwnershipPrivilege	20832	WMIC.exe
Token: SeLoadDriverPrivilege	20832	WMIC.exe
Token: SeSystemProfilePrivilege	20832	WMIC.exe
Token: SeSystemtimePrivilege	20832	WMIC.exe
Token: SeProfSingleProcessPrivilege	20832	WMIC.exe
Token: SeIncBasePriorityPrivilege	20832	WMIC.exe
Token: SeCreatePagefilePrivilege	20832	WMIC.exe
Token: SeBackupPrivilege	20832	WMIC.exe
Token: SeRestorePrivilege	20832	WMIC.exe
Token: SeShutdownPrivilege	20832	WMIC.exe
Token: SeDebugPrivilege	20832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	20832	WMIC.exe
Token: SeRemoteShutdownPrivilege	20832	WMIC.exe
Token: SeUndockPrivilege	20832	WMIC.exe
Token: SeManageVolumePrivilege	20832	WMIC.exe
Token: 33	20832	WMIC.exe
Token: 34	20832	WMIC.exe
Token: 35	20832	WMIC.exe
Token: 36	20832	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
23636	!WannaDecryptor!.exe
23636	!WannaDecryptor!.exe
18400	!WannaDecryptor!.exe
18400	!WannaDecryptor!.exe
2300	!WannaDecryptor!.exe
2300	!WannaDecryptor!.exe
28448	!WannaDecryptor!.exe
28448	!WannaDecryptor!.exe
22592	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 4020	3424	msedge.exe	79
PID 3424 wrote to memory of 4020	3424	msedge.exe	79
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 3116	3424	msedge.exe	80
PID 3424 wrote to memory of 4756	3424	msedge.exe	81
PID 3424 wrote to memory of 4756	3424	msedge.exe	81
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82
PID 3424 wrote to memory of 4100	3424	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/cchm123456999/malware_sha1_hashes
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff87f203cb8,0x7ff87f203cc8,0x7ff87f203cd8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  PID:2196
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:484
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:16000
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:30356
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:24360
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:24048
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:23092
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:23572
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:23768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:26656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:27548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:26888
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:23072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 184401741640085.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:25144
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:17184
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:23636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:28424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:18400
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:18552
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:18684
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:20832
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:28448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10919737043942276670,11701865242035357362,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6280 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:20488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:24384

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:22592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
b920873beaf2888f16d6c169a515894f

SHA1
d98b602634d8b25adaaf252f8b76df17d6774635

SHA256
dadf8bb4b3e6d7461dfc9d9b7cbeb4471e4ea6c04082fa47ef37478b9ec422c4

SHA512
ad79d430da04367d306bae9542147f553aa51e049235b0db1c5c577bfa4bcafc7a48fc882312cedc4f62d302e2c674ce8ae989f5af16f1c4315506c97a547a9a

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.2MB

MD5
7faa5ffa86c7629b995db9db9de5840e

SHA1
a5b83fe6745288cb6fa18450b3f9ad918fe90970

SHA256
ddda6f7397e8ebe11981b6ba137af2d99a72fe3ac1b14afee00737eca6738ed3

SHA512
7aa8e32117951be916c8f829f1f7ebae999292edf45abd4dc8ffab5a21a87ffdc956246b1c2aa62ece63fc39ef9eb7ee0d51fc1a797d0f5051ce0b9216e2633c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-97E2757C.[[email protected]].ncov

Filesize
2.7MB

MD5
0ca8bcde56316e075472fe8372ea82d3

SHA1
cf982a8b9f1140b519a9906ed4c0e60f38dc461b

SHA256
afd350fd1b3879ec8bbcc9a9283dadfc8dad81421ddc98c3c0f60d98e4fca406

SHA512
3c0961fe72ea4bc8c733e153b3007ba2bbf449b7feaefb547ea1245711b0895e9c4dec345886053c59c4becdf9db1387ebdc4f3eb833ab23f32970ad832a4653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4815ecce34e90c0f6ca91c7e35be703f

SHA1
61ec0042ccee59f6bdf6b96eb9f412cc97717702

SHA256
5db366717739338c23e07ca15aea2b48924a3b3ecacb214221239333b11ae7d6

SHA512
751dfd6eea90fc4efb557611e8afc6ef1634c4e2bdd97f3c72638def09f644ebd8bf5696b9ed8379973106524d08c67188f7f64c0f941e8f95109920120dae05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53c68f0f93ab9a94804c00720a0bcd9a

SHA1
9009307d51e1fd60f9a90d77007e377c7f893434

SHA256
a38f0777d4ca9e777191cc924c22eb1847ae805ab79ff224860e8c70d7f49422

SHA512
a1d5b92fced821328a668fbfe9ad694b99c873ffa3ed28aa5bf1e8ef8054486289b5ddb26236cfa7c1ca0db993f306cdfc5878480b6a543aca1620075f77d670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
21KB

MD5
8e01662903be9168b6c368070e422741

SHA1
52d65becbc262c5599e90c3b50d5a0d0ce5de848

SHA256
ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a

SHA512
42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
a565ccff6135e8e99abe4ad671f4d3d6

SHA1
f79a78a29fbcc81bfae7ce0a46004af6ed392225

SHA256
a17516d251532620c2fd884c19b136eb3f5510d1bf8b5f51e1b3a90930eb1a63

SHA512
e1768c90e74c37425abc324b1901471636ac011d7d1a6dc8e56098d2284c7bf463143116bb95389f591917b68f8375cfb1ce61ba3c1de36a5794051e89a692d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
1401e9fee77d1f2ac68382f3e92290d0

SHA1
3016320f4984fc3bea3b64f56900478a7eaecc53

SHA256
1681cf800cad8c704acc3eba63766b2bc724de769092153121f73a34c61f6564

SHA512
a4138eb2b7c6f777dc6b65294a1087501ea4f7ddc082c5455f5998fbee4bc16e28e4d11d0663011cb5889077b2557810a421d6569ab1b796fc94e0e2cd4193d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
26KB

MD5
398c110293d50515b14f6794507f6214

SHA1
4b1ef486ca6946848cb4bf90a3269eb3ee9c53bc

SHA256
04d4526dc9caa8dd4ad4b0711e929a91a3b6c07bf4a3d814e0fafeb00acc9715

SHA512
1b0f7eb26d720fbb28772915aa5318a1103d55d167bec169e62b25aa4ff59610558cf2f3947539886255f0fa919349b082158627dd87f68a81abac64ba038f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
217be7c2c2b94d492f2727a84a76a6cf

SHA1
10fd73eb330361e134f3f2c47ba0680e36c243c5

SHA256
b1641bab948ab5db030ec878e3aa76a0a94fd3a03b67f8e4ac7c53f8f4209df0

SHA512
b08ea76e5b6c4c32e081ca84f46dc1b748c33c1830c2ba11cfeb2932a9d43fbb48c4006da53f5aac264768a9eb32a408f49b8b83932d6c8694d44a1464210158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
59KB

MD5
677b60e336250eeada06d8327fc60579

SHA1
42dfd2a0ce32ab65e7451f49fbca24a197678b5e

SHA256
236fb6e6ac21ee7db3076e54681bf23d9c9ce9b9131af61e946cdb05f9ed208b

SHA512
61a7cfc0e6ae0b9e98bcb6af4eeb3e3c43226260fc0b9e1c48d9197c9f0f09e3eab908f08763da99ab91549859f9ff26e06bcfe941e52337dac3f4246e26b8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
109KB

MD5
c4ea54408ec0f9e4fa1b5088be611555

SHA1
c4f43c099d8704d576f41c1a8768d2d9f8b5b540

SHA256
4419ca856acab73856ca62b85eb2a0ac121f40d941b95e88f77d896714b4b2ea

SHA512
1f0c6cdf5037020ded233fdb1796b06ee61e84d4a8100d4d5a11e0be7b7825b6b1dd930895152d50c8da2243582e4313335f0b3fbcdafd627c0e2bdf5907d85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
45KB

MD5
355198f126f4bdb592de84060fb953c7

SHA1
5bc189cef51bb45c39096bfe79365db62465df40

SHA256
aa481677770e43995e9376c56eb8f232d652bc84cc1f9640a45099f65a18d466

SHA512
406d0571b8bb5669a45dfaad3ec7f8574892a6aee70c0909d113f2e8f52e3796945bee255de215edc46e2bba855539b13f016f686696e5b664c29f0169417f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
16KB

MD5
58795165fd616e7533d2fee408040605

SHA1
577e9fb5de2152fec8f871064351a45c5333f10e

SHA256
e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e

SHA512
b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
17KB

MD5
ff6c5c5e54367258b348fcfde412dc59

SHA1
9d7f64aa25175a828c56d2731ff4b838382514b5

SHA256
21280ad81c6d90567da562c854b3793155e1bdac7f3d209508c4b289c2cec277

SHA512
9a1825d154c4fce0107d910794e95d8ff6e3e9188072cfb1bfec5c32457a3130779550ecb8ee71b742410ca8fc2ea1c4aa784ed89f3c5d441aa3d59f4ae2ca3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
66KB

MD5
82aed0507916d948f5c787e965e3682e

SHA1
c8c633f0f7121b88a81f4fcd8cf21947e8ab11fe

SHA256
7a52c8eae1dab1e42febae4717c2f58beac45d6a50a1041221c32a3eb4a70e45

SHA512
53a915d100dbb83e8f0778a008f99cba64bd9b522530ad336850e00e05d8b8ae4db147427cd519ef920a8c22d66d43aa39e765534132a28debc99c61fb19ea63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b87a0cfb4e6184199bf2b68d71e2d9b7

SHA1
e670e85fede0a61884c499a9fa4b85e50495b105

SHA256
cf0ca34f908f43855e884e9005b649c31649a99667dba7d095e8abc286c1d428

SHA512
742f815e3c3db728facdc8d598e93e07706881d720db9d573de2dce9a0cda26bb0796e08a29a125c4c1bd64f41f67a6b94c71e27fc39a709dc6ad3b763c7e3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
3fb0d12977873ca1b667f34233b88222

SHA1
f3f9f1451c7cf8c17d9202e702be2ccdee74bdd4

SHA256
8bcec08f3a5ee0f92c785a394df0f48c055ebb6a6e88fbca4e172b3a30262df7

SHA512
01f24361ca78720a1227f9c0e5b28a6df5b75583758173d1fe3ccc0878c2624e7d2d50de2d6caac25e237d3bb0746955bfa454c78b917d5c882a8e54e5978331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6a16b99be6f330599e4ad7e945ce047

SHA1
726f4421d7c38dd01ff57f1940bfab568144b3f1

SHA256
29a92a1f7de8bacf20622b03189cf543df92a5e46f7800bd9065668d261f26aa

SHA512
679653dd9d50509bd39e4bdb2e40dafdf196e5bb3e34e7fb741feb8fe3d3218629c2f071514fe6125d92e8be313be557339709d6212820bcfa9055267bd2dcbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84c3e36007afbf8f89c6ad3f1b71bbd4

SHA1
d264a12c0479b9739d5b848fb6a403963976a1b8

SHA256
f08911b1089ad8bb762cfe672b3fff4325389f90ba849bae207ca52af18372df

SHA512
62b67cb325f09a04aeb123b685778b22736dcc7556958101854b1fd420476e6c660b7f2d4afaecfbe5d85ddfb48089846feb2fd135fa7f42d92264426ad28682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95723f3d874b20d810b46f371c21e434

SHA1
57b4566395cc38bcc83342940152e70a67ede023

SHA256
2fd0de046953c60c5e34d7cdbdacee2e0ccfec8bb09674b0bb7661c2df68bf89

SHA512
2945c51ace013c1937e68d5e9a34031cf82e6cbfa4cfad00a2ab0e58544f0bca547a353a879ba2262dc4362c348656874b70afdb28d99c3c0f9e69c6faad991f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1306456ce3cc22cdbc35a9f915b83cf4

SHA1
c83038bf8cc324fd763fe28132117c5bf4390820

SHA256
2ffb056bd7e087a4ea90e19e8cff14511654e9f4222a10a3a8f0cfc5ac784c35

SHA512
3d17ad038945d36f749bce9324f97af9b1d128a9376e86df243cd062dc4e22ab4593451c1771cf983ce61a7c543ce21f3659a777c4b115665a8f2feccdb59ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6aff1e845518f1d68526322ab558bfe

SHA1
3d7f3d1cee7527cd404ddf7b5ac72e057c5bb11f

SHA256
cc68a321134e5fd066f1a6e8adf5babec5e30d50e013d9a14851b5f523e9b832

SHA512
aad781f6ad20b1de16626aa995069a9b4217f109adc7788cac56214ee6a857faeb2e4057aa9a70441594e89dda7105bc948291104f088994f26324242acc9877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe596e7f.TMP

Filesize
6KB

MD5
53c549d11d86300c38ba65fe38fe1d77

SHA1
e03c531baebf852aad09124676d04172eae35d92

SHA256
5f4c7703da3ab2fe122529f2bf1e076765e70d9bbf9b44b0405a03365c7eb1e2

SHA512
1a1d6132bee66f335023c7f9f2c397f401e4e95b893a42e1becab93b2d7c4d89eaef9a1d6c820c7371c0109affc9528c688b3de391e5ad53558a1390ad456b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be7547929e5abe72a3fe5b171233624d

SHA1
88af3ba64b0485df61ddd0f2be908f1865bf93a3

SHA256
aa207fb0ccae8c1ea3d21ed0945e6e693071d5739f2dabfc7acd47e6cae1fe5a

SHA512
e4f22e66bc680f5491deb7b4f5d09b07086fe3dd85d78ca75ea823d57facc6eb0327f0e5cf0c882c421e0457ece62c9c9de272eaf0fcb62c4bf9616d46dc8f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
44e50c093272407d404b7bcd3717b3e7

SHA1
67969f6a1473b79e659473cf04ab6b7bd46eaf29

SHA256
adeccd4c3d34fe86ee519d54c49dde148499626d2d97bb60fe24d71685505779

SHA512
69aff68b6c2caaf77c3cd61f00f98195dac929090057435cdd2b6e2ab5fe1fb08a0aa84d30ebec4b34825dc360823117f9ab8323c3b2bcd53a81f0a52be5b2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
33cd8cd918f5e7748e394574629e09b6

SHA1
8a4e43acb809e0cf52d890a9ab4683e124480260

SHA256
9c54eee0a506412f8ad8dc03cbfc38faf1edaa68253d83caf88ac3b0d3f816e8

SHA512
eabc96c3701eed21be9260445defa2f0587a29def0ea33ce3c7c6a1a6130d67ce24f7230388b76d726e6c4e21580e348285167c7291fa4e24610948f86eca34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcde0015ca54836a14cce9d294fdf920

SHA1
f87d44914e4b64b7422a36ab8b11d9bd1203f2a2

SHA256
c84e07f90c27859c8ddd681da73869a379e4dd56d60719b482d1c7384f728433

SHA512
2f582efa37ea15595753a6b22fef6f202d35899da118901538f3a6e818b4f40558b48ba1fafde86b8bd199f0ae7acbcb29b4a6c12adf4469eb6e25543c4535ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f47b7add04e64b462895d64d880aff8

SHA1
3c30b21ab44fa151f61c83caa5b9700e36ce8d92

SHA256
6d2c1557e293af7fbb5e72203648320e8d6221f3b464d498cd728f16a3a7db19

SHA512
f8b113112e3bcad52b4dadcde9004659875edd2c17ebb0e368e46c8169001a6724148a1dc9fb76738644e2a8afb7acf955bcbf3f91c41a803c5b6536ed6acd1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580cfb.TMP

Filesize
874B

MD5
7c07dae72922d2022766a54ba5643828

SHA1
b0aedf3a6933f0305b18a2119728446d69b24580

SHA256
48fae3db9c61ca643050d59c5b20327906e926e155bc837d48742e0cfd52daa1

SHA512
ac4764ecc11c00f53e017160c50b922efd79695896bc6ca4924ecd38040fc6e2e7325c98ca5a5ade537cba922fa58957ba872f1ba1069348621d8e1562758168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5926c8.TMP

Filesize
1KB

MD5
5a74631c0088f6edaec311d8fddc11e3

SHA1
b7373aab61b0c1c30627fe19d978192a087a746b

SHA256
d2a6e6e3178dbedc33c2a248ecba60495326cb096ddc99bcd2f4e257c89a835d

SHA512
bb82df302fea0a8e6f28c85b8c0a3daed5ff3e602d6cc5b79aeacbb067f9047a24f51a184f728f4a8f5e54dd490fde8102ef8cd43ded9ed0e2f7c835f5250a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
80KB

MD5
4c3e4477b800bae057f03a707874e658

SHA1
810b3dc7c7ac65013a8f758c400bd28da491b6a2

SHA256
c719a567cc8751a789119ac23ec1114c36f45a3343fa559be8f82ec5a9fde563

SHA512
ca84d62125a7b5c68554af1192cd62c36dd45a80680a2395acd19c4499bb8cec61fcafb3b5ad89f7fc388c54b258e673f15051f94a5f8f3c40149466e139206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
12090b2d14acb53d901ca6b5ad892cd6

SHA1
f0c9828ac8edb878478cbc929df85790827cd1ea

SHA256
a317d29c06219ca16c515cf696beb2a3293f36192b83e63e21923a4dec5dee53

SHA512
5aee62abd2f4ac7005161df631946834e0d8eaa1f98d3697887649bbe05110571955d7c40d4c5b7fc4b9c0ca558f9959bd812e8338558592e91bbc3ed278eb5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2684c7e0c3b925d26760cbbd80028cc0

SHA1
68648fb731882c0fe9597693b0544d939eadd370

SHA256
d29b9b35dad61e6c3caabb367e4c06969a91d9c297183cfa11f257b72b5370a5

SHA512
12bf5f3a182b89f02f604091fc0e6d3fbcf9f07f9d28a03b3feb51fb4652be47e63ca9816ed567b863858d2c1796f0ae8c3fb57eeb3c62292fee0c3f206a1082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
49615722b41c93252685ac2d546cd282

SHA1
6bd3334bbd12992088fb0f7469e49aa2612e2fe3

SHA256
9dd642ae5fa330bd6c4b559ce0d9c3cbd3192ab4b639bf9e727c6e5bb08df677

SHA512
b96aa56a66e22f26d49c5e57ce66d858b344d4fc52de75d135d57142c5dfc8737696145063299728e23e83bbe54344d277f0a8bb14eae333dc6bbb0a10d7ea3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2efe6ee7e766b52648c14661d61a59ad

SHA1
a1c3146b5f3b7799dad8169654119b659ff9b208

SHA256
0af9aad79e16cf0b5af67ed8619828c35ff7be301d6239ea96c877738800409e

SHA512
a7d99d2218e7a3d65de84f59b97adaa4fcc18cfb3a07278850609b51689639b8c60980605c71e835e85754b609e747c131a2ee63b7e21eee646ba20fe58caa10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\cfe7ae75-5485-4c3c-a193-2c2e79dd0ec9.tmp

Filesize
12KB

MD5
80b5a4396a617ad76d0b13aa828b2e26

SHA1
c223cecfde5f7b408c2160ef0b31bdb55b2b2572

SHA256
4d411baf1c051ff1e73474504b8c2e6f934e869ac851731a7c3960d0a7349477

SHA512
d9fd0da82d45766626c1b7392347dec56bf72e953a477a04bd06ca5ca429cad7607880ba728a36c53a96433c1092762bb6bec2e05b511cf1309d026a82973732

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 108351.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 994095.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/3756-4914-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3756-846-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3756-830-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/23072-26741-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download