dharma | hxxps://www[.]virustotal[.]com/gui/home/url

Analysis

max time kernel
412s
max time network
413s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
23/03/2025, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.virustotal.com/gui/home/url

Score

10^/10

dharma troldesh credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (775) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
295	3232	chrome.exe
295	3232	chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 6 IoCs

pid	Process
6060	CoronaVirus.exe
2108	CoronaVirus.exe
5432	CoronaVirus.exe
2360	CoronaVirus.exe
22852	chrome.exe
18016	NoMoreRansom.exe

Loads dropped DLL 1 IoCs

pid	Process
22852	chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2123103809-19148277-2527443841-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2123103809-19148277-2527443841-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
134	camo.githubusercontent.com
293	raw.githubusercontent.com
294	raw.githubusercontent.com
295	raw.githubusercontent.com
124	camo.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/18016-28744-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28748-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28745-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28746-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28752-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28754-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28765-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28767-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28769-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/18016-28773-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\PackageManagementDscUtilities.strings.psd1.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.format.ps1xml.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\index.win32.bundle.map	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main.css.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\ui-strings.js.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\mk.pak.DATA.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Primitives.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\LogoCanary.png.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Luna.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\et_get.svg.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\no_get.svg.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\Classification\Dprt\Microsoft.Ceres.DocParsing.FormatHandlers.OneNote.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\hu.pak.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\bin\lcms.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\Example2.Diagnostics.Tests.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryNewsletter.dotx	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.Serialization.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\ui-strings.js.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PowerShell.PackageManagement.resources.dll.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.policy.id-6E3EBFED.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
22932	vssadmin.exe
21212	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871668541340975"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1512	chrome.exe
1512	chrome.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe
6060	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
23100	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 560	1616	chrome.exe	84
PID 1616 wrote to memory of 560	1616	chrome.exe	84
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 1888	1616	chrome.exe	85
PID 1616 wrote to memory of 3232	1616	chrome.exe	86
PID 1616 wrote to memory of 3232	1616	chrome.exe	86
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87
PID 1616 wrote to memory of 5036	1616	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.virustotal.com/gui/home/url
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa26f3dcf8,0x7ffa26f3dd04,0x7ffa26f3dd10
  2⤵
  PID:560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1748,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1604,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2332,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4432 /prefetch:2
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5396,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4440,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5804,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4904,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4832,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4820,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5768,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3304,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3424,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3308,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=1168,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3884,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4552,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4456,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6036,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5612,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6380,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6520,i,18419000187354397367,1043535763650091198,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:22852

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1252

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6060
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1676
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:22916
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:22932
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:21380
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:21252
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:21212
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:21304
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:21288

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5432

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:22960

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3c5b19beea4f44f2aea93e42f1e3a83a /t 21284 /p 21288
1⤵
PID:22688

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7b4685950a0b4155afe25b0e24d0a674 /t 21300 /p 21304
1⤵
PID:22764

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:18016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:23100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-6E3EBFED.[[email protected]].ncov

Filesize
2.7MB

MD5
571df78cd458ac21105ebc77e546d449

SHA1
a7087d71b583418c321cc86ae2ff6313988d763b

SHA256
e0c869bdb99f5dcae5abb90ac852104fd4e9a8a12bb3897235436fbdd186163e

SHA512
b208f2663842eab7c1dfe24176976e9651d9b35fc4b3e778c6d5a94bafc1c48b0678c37d1fe49bdf7642afc7ea46469cfb309e05559662f54d208d2afc16b2e6

Download Submit
C:\ProgramData\Windows\csrss.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
34c29bdb9e41b1f47f2d2786762c12ec

SHA1
4075131b18c3487e3e848361e112009c897629c7

SHA256
67ee11b51cd6f637795e31ab501f135ed595c8459bce885735f08b0418513a17

SHA512
ca3a978798e77b2ced27b379f38e935ef18beaa7ea23e34270a9af20b37e1b1c5edf9478606311cf1acabd83992766cb3da8444de9394c674d5955bdbc53c0d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8de47f00e5cf4a4fe2cb5bf4a4c4f2fd

SHA1
c1a46fc8d393866bcc0b30ad4da2ab210bde956b

SHA256
6b5fb1fdb2714104cd5f27c74a483d30e927aa41140f7600a07d9f2c8d09e25c

SHA512
054be8a27073e58b919d6d6c5b29ab4242857d359e03185afd0e9f231afdefb687b0e5a184fffd46710e69f10931bf10b702b9ed084a6bea0eacdf7c4fed862d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
215KB

MD5
e8518e1e0da2abd8a5d7f28760858c87

SHA1
d29d89b8a11ed64e67cbf726e2207f58bc87eead

SHA256
8b2c561b597399246b97f4f8d602f0354a979cbe4eea435d9dc65539f49cea64

SHA512
1c15b65bd6b998254cc6f3cbef179c266663f7b1c842229f79ff31ba30043837c398d85296fb20d3a576d9331fee9483ca0cbd06270da2d6db009bc454aee0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
21KB

MD5
45871552253619d6f54089fd8353a0e5

SHA1
b6ff76fcb884d1e8218790a1be60d50b57917281

SHA256
99601398f0d87d23767f0d832e7230c8ce3f1cdd4e9b56e86a394cec2474e3b3

SHA512
5c3ce901310db91d31023923a75d4b98c7b4175d6e3ea6e0e77cb13ebb2335398eba3952b5e91b5247dd867ebf2bede6f1530e43375e4436db05a915466c3b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
38KB

MD5
b8103746b4757c6332fe545f11de8f70

SHA1
588965d6333eb015af39c7f44ce71dfac67fb0f7

SHA256
4177d563a186175d3a67091c399db6c57fc271e202406e244d4bc8ad95b1aebd

SHA512
c83bd52d674d90752dfffeb76971a4f9684054d6f02cfdbe8f336758ac46d8b430f306cc64be00112b8c38d191afd1b8395d58600b12cefcb6a052ab70214ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
21KB

MD5
eb5f2f8b27b3794eb0b9d7302f3ed208

SHA1
ceb14ae185daed71ebd356c06f067ee90ca75a3a

SHA256
16a56eb5759e2174470278fec544af28e58f93a2e895141c140eef9409efeb60

SHA512
4c1441f9bc16c6c03df5c727c75e238d41aa24127904f86d18eb755564765eed86674de1d6d19406c2f9085454bbaa26c9b65f31973a364906878a9fa4688eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
37KB

MD5
9a0f2fed78beabcb1af818103e79eb49

SHA1
e36dcc0472152bec227a1f5a81b5024ff3624452

SHA256
bc3ea6c39f4b013cb279391c0adbbd540219cae079703926d37a82dab9046450

SHA512
c4a96707d57cb474f45d669a52e31cc4f34e783b3600781c683c88d470cc6f6c3a5c5a399af33b8a193c57df87e797087fab9f6817048baec5a75e44ff835c6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025

Filesize
27KB

MD5
482e69a70bd0db3690f0422498dbfe51

SHA1
03d8c267e5f48ccc5f4e781e82c7e443e354794e

SHA256
e24cd258636323a750f60e58600f3cfda0f90cea73d9fd79294b5748b7d2ef6f

SHA512
862300384a8d6218654f7c231e9627b3ec3744817bcf4267008cad979d17f413ff06f5e7c84c822683c4a36676e92aa85bbb9d6216ae3f8187a5e2c710938de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
16KB

MD5
db2656b672846f689c00438d029d58b6

SHA1
43b8d5085f31085a3a1e0c9d703861831dd507ce

SHA256
aa3f28db9caadce78e49e2aeb52fda016b254ed89b924cdb2d87c6d86c1be763

SHA512
4c57c347b10ea6b2ca1beb908afc122f304e50bd44a404f13c3082ba855796baef1a5eb69276d8744c1728578fa8b651815d7981fcec14a3c41c3ca58d2b24ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
18KB

MD5
89ee4d8818e8a732f16be7086b4bf894

SHA1
2cc00669ddc0f4e33c95a926089cea5c1f7b9371

SHA256
f6a0dfa58a63ca96a9c7e2e1244fcff6aea5d14348596d6b42cd750030481b82

SHA512
89cc7dfae78985f32e9c82521b46e6a66c22258ebe70063d05f5eb25f941b2fd52df6e1938b20fe6c2e166faa2306526fdf74b398b35483f87b556a052b34c5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
60KB

MD5
65f600946dba43f86ffe8feab1e002bb

SHA1
80d0cfac13edd30144748be2b75102c8b102fd06

SHA256
9a67a73ccb3869bcac620962d6864982570b9681cd7b7bc6acaea5c6dd19c0bd

SHA512
4b93895237d33ab021bd480c71a0086ed416dbe24e3c4437fee13ae92a00c34491219537d888cbe49a36b151abb84055ad98409b0a6f63ca12ad73aca11b3d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a

Filesize
45KB

MD5
6c6d3ebcde7c772f7246a3ff86a068ce

SHA1
3ad3721a67ad5968d4b415602d8c0bdad49ff0a7

SHA256
fca0ec54b618c192a3ad712ef7d7eaf59baf614db1e86f21a83fee49531bbf09

SHA512
fb48201c78e30dc4165fe5b8b3ab4f002bc53b7ee1521e01e210b62cdd58b8347f222e37ef6127155752da47d65fdafd16ebb800d584444587afaa99d23bc3c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
23KB

MD5
9f860e88baf1ab293feeb07bb72f6551

SHA1
bc9953d8982ce8f78a08e91aa6586962949ec7a0

SHA256
d5407a21bec1cb9127216023a5632dcf73f5f5f3f40e0ac49ddf0e2c278b891e

SHA512
92a43cdb07850358c617092899855eee6de66f8eceb786ec8a0a248dadc5e2bfb789cbdbeaaa99f855ae8a03581a3b923029d7780a13ccf6023d7039d1f6e7b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
88KB

MD5
2dfda5e914fd68531522fb7f4a9332a6

SHA1
48a850d0e9a3822a980155595e5aa548246d0776

SHA256
6abad504ab74e0a9a7a6f5b17cadc7dea2188570466793833310807fd052b09c

SHA512
d41b94218215cec61120cc474d3bc99f9473ab716aadf9cdcbcabf16e742a3e2683dc64023ba4fd8d0ff06a221147b6014f35e0be421231dffb1cc64ac1755e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
110KB

MD5
212fb70cc1811eed57c5aaf5bc070dcf

SHA1
94ec17177f218c87d58828020705ba19a054b364

SHA256
f570fc5a000981d30666094c0820795186217dc40768d082e38b47c556fb4b4e

SHA512
69b4257439e14d4fa0ce55c70deb8f21e5ffd259f149b3a31c7feb284d7e28305cca0fd54faca0b5bea451abc6c0fb6c1a1b9471ef8cfc267605781d9745c0eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
16KB

MD5
dc491f2e34e1eb5974c0781d49b8cbaf

SHA1
b73ca9b5f9c627d49da4ecbc3455192e4b305a3f

SHA256
f956049f0d96d455a71003eba400cb94f7067bc52620cd05b81006ecfdd438d8

SHA512
5c9bd0d5c93a05ca76eb727328a0fde40f2be7fe53b6b6c9eb260e8f20f92cfc831fd4b46f954d85baf151ae8aba1cdd6f76b0faf96217922cad844c905f3645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bb73c6570251aa2d_0

Filesize
324B

MD5
0ab218b0574be7c16e6e646a6b24b161

SHA1
c41f34bb83553506a564a139862b61b77db26eca

SHA256
b73f803000e02e96f1eb040ea42ae7828453941ab815de309ffea652c745a78e

SHA512
9f2a2a3bb40c33ccc616dec6efa5052f92566606818713c83109875b28de7e774e6a7110acf300456a1bfaa86f00f36e1caab18fcb822efa735d719640cda2dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
145d24bf9a96c02de9f4eea236c14e8a

SHA1
6602c0c0580a5934eedc3c5cd8ea064a1081c3b0

SHA256
c9c43a3ab3af829784a959f968fff151d38eaafca04ed473434da444c03331fc

SHA512
8a1d14d36fc4e0cbdb64ee6cbd5a3cf2fed104352fee11860df1da236a71cf7ae485a4c37d0c18632aaef9427f527cc5905deef8d702d10aa5b04c0f8611a6f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b3a22b7efebb60bddf7b0a3738de6ea1

SHA1
e1b740f84d34ea51b6e55e0285bf4a1b146370e3

SHA256
2efb46848a3a6d64e8167929671a136b45b2aa5e9dba04ee267bbed9fba313f6

SHA512
4df6415ebf200020e0b17c6b9c0b67b9f45d6f92c745df16c61c1f345ea72964a337b9328d0730391c3aefcd89dac2fe5c743172af46853f796b10b5ae5a4eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
402053511acb54bed7abb89599b7debc

SHA1
310591e90e22d1952c602c230641b2db5825ab68

SHA256
dd7a73619acea9c57b090413f8235c5ffa35f6cf5a5714eca8681282aa7412e4

SHA512
5dcb555a713915e6c2833b070686d5d42add685b0932b1289681bdd5f53f368b47a0bcd54554c39dce64028ae05da91a9b49c521cd202ceb6d71e6c695016c88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a83ba03044a3de80fc33268eb2a6e9b0

SHA1
f9c9089af96d842635697e6ff5bd101c42584653

SHA256
a7e5b403eb574bb4622d31bb6e23377335e5285a7af266cdcf558c4cedfd9a3a

SHA512
154cea1687798faddcf79a669d3c9b7b4d15ec4b5f4903d4646d61b88926d94d9578b24ca249226f9828aa9f78d11ca7d2113bbd7ed8913b9f88e46253bb93a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
d3a1047ac54a7a92e4204018c8844682

SHA1
c511badc2e1721312dcb6fce8cff11b1e587d346

SHA256
a651a98cd00bcf5598ca2dceb9c063e688e4e06cb472770e4bb998178c2c90db

SHA512
c60f54a2b8a36bc2033e1afd58d49a3c9dd21c91f36a5cac26aed99c0c0349b87bc8c62b89dde4a5466a44b4d38577258216e61f97e4f089ab4c1074e27b58ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_archive.org_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_archive.org_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
09effdfb14a7633a466cc342d122447d

SHA1
469d1cf914b2a231891a9b86e305ce72d3415f5f

SHA256
3d138f8021c9934727deb04858c7d25a0abbe5ba5855c4bc1a4db4aff878fd25

SHA512
8d32da07068b723871c93ffcb2c7cd18b7893587d6e16c8a71d39a665bddba0f2901328bf782c72825c20637a1c3ea4c23ff432af1439648a86a63ed9eeca3ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
a6a6a2a72c90a1d894f08d0b5f1811a5

SHA1
476fe803a4155ad993bb378d5912fae9fb6326ed

SHA256
55b8f57dcc9af9885d455830e66d6cabd36b5be7bd7a48ce1ec39e555b18fcfb

SHA512
117c39a40a35e4a587b61e3243f6620cf1677471e0645e135d0ec0429b25afecd9b8d977ca5251195942cf6d62417c35589fd2042b74811787b4734e22b0edc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
1148928f04b102526ad1fe080d195c06

SHA1
501ca0963b2863bae77051cdd6b6791e295c1f0e

SHA256
2e5af20c7a50fb4cc437159ac1973ec66b41934968c7f93f33d417f82ef7db7f

SHA512
ced95b183bb7f4cc76fea77b8f9b43540ec69184b436bf8e23173e289fd80fcbf29871d1560ab8b10627455edc984f8efca0294f3160666843a4a49b5f498e86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef04975cf7785404c4e5a5ef35ceaeb6

SHA1
7738a7a5d6a961c9167c933d0c8c505d674cca7c

SHA256
af99e58da02a340b0914d66a991fb7a8635f6d309a40996cdc4fe89d36936fb0

SHA512
1006a604dc5571d752235dc10246d7fc29ad9b7fe15e094aed5f78f2a35e8a2145ea38f809ed2119bc566055a74e4061e9a54a639da5ac2825053650e37b448e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f052bb8e007b92f445d9c4f709780b38

SHA1
147411a06047bddf427399af216e9fdf6d0dbea1

SHA256
71c7fb0345b2d932917778b652c5abf3aa30d0c332dbb3636c77f459855507e3

SHA512
3ced9285395d80285d513f3e768000ae78bc6de5d227049f92c9622f03a8aac553dd4576a8ed34f26d4c2851434f50ec47251d642f19cb16d176caf6845b2e6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
0194e326fe93ca7b0a0bf93c30c0a17b

SHA1
9e6f4328b45061caa0a8faa6ede55e4e5d25f601

SHA256
22de7b6059f98b21d0e7d2c9ee5c6fb7c9452908f5de62ec8a54d4ac76bab328

SHA512
f95d20f57b20e200c1716b7cec29a46607cd354bd32fbf31d5f9ebc8e84f543829c7119e1c9b6abdf8119ba977b73d6b383810f483f0f8e41c1308b3899a7576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
00313bddc0833bcfbbf56a335d3b0cba

SHA1
aaca17537dc48dc14344f144d15006b46776d1dc

SHA256
d24c0c3397937f666c7cb29a642c789c01a8376b69662714884e1d9a3d1963ca

SHA512
f6822d057f548bc857a43b3fec105f9715436306ae4376a15ca6965645c519384701ce55604fcbbae42070dc549eedc6531ec6d6281f70f783465f58747ae0d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
2e7315d143d3516fff244d6f8fac9fea

SHA1
ecade2b607ca55519cd1052c2f9de49a9ffe08cb

SHA256
98f74bddba06169b8a9697b342bb946253c640c5cea7402c73f922cba0519157

SHA512
8783ef8789f09c6eb48157d6cf1e92f925a6285410cfac7bb99b51f47e5fef353c2ceeae9cdeacae741fd0b4bb53a9664e99f82018644986aa14c2817c2b4ae8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
41af18be34e5e8cfb3ec155ef806423d

SHA1
eb8e5d80b38eb5ad83dcb5a43f4c32c425b328fe

SHA256
ddc7103db688d20e2ce782e4dd26e8ac284d1314ea205ff88c165b21b4bdedc0

SHA512
d6a8cf2ba7cd85052167a9a6cb60d07e5dad435f2652f53da17a49d732c3f0083b194f345aac090304819e082436af3f7b49131f359ace5bfd4aa2a4695ca86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
b3dc93b63d437f74bcba15a488a08ccc

SHA1
9261598fff2b2f84b7e857a6976a7ed6af910210

SHA256
a8c8672e21d2f60b5b4a9e40668104f76092e24405590e9fe6c2b21a8e75730d

SHA512
c0463521276a0b3d5b346e551a767db392f59c454bd40888b770d60c7ab45974b7c947edd010f20cbf4cf48f88d122986ede27b288c736e3b1de012b26288f9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
c86de8bb797aa6b1302705ed01e3f528

SHA1
ab4fb9d44718c2f4916e79f76c7c058c5e243f21

SHA256
ee4b199ebd4c30ecc255316cf4dce60a93657f477a75fd7e34a286e239b9c2df

SHA512
548f8608d394bcb2267fcee57fbc5110d7f9fcd1aa7d1ebdd335d7c7e30e7712fbf0f6711d28d4bf56f81b0badfeb10d1fdf912516c4d6656d1fab4828ecd5bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
30fb25303166eedea1761e26107e4cb7

SHA1
6f04ef5823a2a1c6bf2029e4a79efbc6fcd599b9

SHA256
f2ddd35dbd6300d7d4af4e0b32de02938b28f082f27e277a3588e8f26aadf19b

SHA512
ff17b8280202f25e4291b5c65dc6153d361770710c9a25d4ab50cce2b16045697f553b5298b2ce24aaca96cd899766dd004efe3ee56638aec198db09432702bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
569d715967846588d36f42a55c9cb12d

SHA1
cc93c987bef7e2041bbd01622eb1b6b063d69a61

SHA256
63ebc27d2d7df81350eb70f7fc5d3418d3cf51a96e70c349337c3a8c8c90a0a2

SHA512
15ba95de3bd119b14772e16ba79c0c13f93dcab98b97462282d14e03973888d46be811affbc3cce49babab7eaed747941b879fc4731f4afcebd3ecc9d5c80e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
26cdab53946ca5d99c09404f36c1849d

SHA1
ea0ff252bb3d2bbea458661cf55d766989e8574e

SHA256
963ea0b83a28439c3b5d9d0f83716cdbc9d95cb3821bd9c21270b1ade4f4ff17

SHA512
bdf02dae5c2b0392f054e4c02308a5cff96d3743345ba53b15650cb6ad5211a3e37bd6121cecbc817c34984996ddcfc7c2102daccac7a41addbd485342b0bf15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
cbc198f5d333e7ab4470af65e853b0c7

SHA1
8670a18c3b6ceec1e759462090e3994a7669f3bc

SHA256
baadf3961207d6fecc51a87fe1418a1cf94b99ba09f359183913a149e64b5144

SHA512
f67cd9449b2d5a577d875a2774198c4e125c0222d803bbf77d46998b689677db96380973e40673429659ad9cfd62803eb698e51fb17fb4a99536b49319f434e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6f2f88c78e0fa10bf58315d744af8641

SHA1
47e4252edc6b5ce8fe6e828c25c85a8624709b20

SHA256
ec69bd2a8bb1c2250ca28bf5436c7df383d53392252cf32aa6e33ab93821f17b

SHA512
3ad353115815c7b0faae7496079adce671de0b5b5bafae4977b86e9abbbcdfc7f4d6e7051675f29421733ca3d7f1ba2e34230166e5e22f36b53ee49772208246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
51f846df90c5114bf563b5f65f4997dc

SHA1
a0f9e45ea89f1d990a361c7970c315580dbdafec

SHA256
bbd0f15f240365d51190563cfa00555d860667adc75f147ce117767d61d4b5c3

SHA512
383a004722dee5ee48d1d38b5175a8b97337b3d58bd9070c3e3d6f09b7b49969da8d475b02441a1a3347f22b73e0fc8531ac1a6c5f59d707341ec7d0eb064735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
043841ac49ce56bd602093b22cd53633

SHA1
a05a65b79ab86160a2d735496b0c6191deb4b843

SHA256
3d796bd4fc262fe29e9161ef07207d0ef2fef9fddae4d24c47d1d0a10ed6265d

SHA512
89f3ba67787979b11ca42fe0d6a6fcaf60236401bb40c43f982734c8aecc7fdf4ce70a5e2c2b93f2521e0ea17cc56be5b401304965124bc094de8bd1a9a2961c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ecc68f3d2c59029b0737e9ed5d80c36b

SHA1
66c11e0abd512fac9f6a501d5ad104a4f11f24d7

SHA256
cd2662c211275a8c97ef5c7ac4f5b16d09eca83e12ce7f69a32e16b1cd9c3055

SHA512
d2b5c47c087f5caabb2c11b69643177265c4f7a8cb27ae4cade913adf9b97e7cea72d049ea92b7459e5f08264d3d558580043d89e18110ceee6258927068108a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a028.TMP

Filesize
48B

MD5
7ac6c5ba292d8ec8bd6160dbb0f0fadd

SHA1
05b1225314e8ce48adc8d0af85282375556e6f9f

SHA256
b941ee225c9ee1c428341c928a51630dd75026d9266bf8258dfe467a2abc4d68

SHA512
f4405aef79de5c9dcb4f23e04a2f9061f3cc08fb07e0e107ce2dee87bc57a21fc0a7488a5db81e3faa562f3be28b02947ab5df0d37b30a60d70c5a5e9e4c3543

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt

Filesize
76B

MD5
46cb7641be727eb4f17aff2342ae9017

SHA1
683a8d93c63cfa0ccbf444a20b42ae06e2c4b54d

SHA256
944fff1dd6764143550534f747243ef7d84fdac0642c94135ab40f584520f63e

SHA512
dc1b5f363e90abff5c1663a82764296922c842820d2819805e87da6da1081f1b5f2d8debc83ac34a26ce289b7b22588b022433686b19b039074ae184968b9fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\CacheStorage\index.txt~RFe591812.TMP

Filesize
140B

MD5
09f490b68d12f89800e29f697b2b3630

SHA1
901ea42173cd525a8aa9bed3f5d6075cf7c514e4

SHA256
7dbe40197f416007366b6f65482a7de6e1d860aff4e79bd11e98f972478358e2

SHA512
f3e1a7a7a074f8f9c849e38212212398568bf6f88ddbba287deea2794928bf3a52348efbb1172e88f85e4ca51dfc7b300ca568b75ff4f1179b9704d6e76047a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
8757df19b88ac520b83893ae7167f9b5

SHA1
6e518a93ab5f1bd338a76b06fb6f71d9ada61abc

SHA256
1b7f0d47a65fe05f5583d874cc93f3b8bb1d4932e38d596886f39d6d20c05174

SHA512
2374c829420d8df39a764f71d7a90178afcaab93f82d273be44f3b3c8b55bd1a60f6e97f5dfe9226179063ea7f59576763728ec62cdba49bb6da2479f482d7a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
f611f990a12f46fc3a62896e20cff7f7

SHA1
613217b54b71ac75324ec46ca740c0d520c5d803

SHA256
e852a64edffe6eda86393553c59b8e561cc9d970de06fec4a86b086033008f25

SHA512
30e3fc0b6ee4f9e1ec53717a755ec48e1e0976b9bcd2d39970c71fb4fb7a4805288962c808f413f7b6ace085a0e3362ab4aa361ee8808ddc766081ba4292bfee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
3950788fd2c1a392567b19a87867a984

SHA1
43e0ab4241f969808fcb9aad09a0aded123db24f

SHA256
75a50ee1bd336c18d317159b72e88cf53f4fc0a3935c267149b1eb214458ab8a

SHA512
d53473366e3fbf487783fa633db43b225bfa1798aea68e7a6ef019b7845e920c9385ddcc2b114edf0395a5031dd1102ff47c348f694c26a8b99428add107710c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
fb34056d44ef15c5ecd3abcd3b2fd134

SHA1
f3f363a2fa77bf1991127d984a521114c5442793

SHA256
f0fd1f2d1d6fda86c4cdce895ca5b63dad8e01c2652fd5a3a5195f593379c864

SHA512
a3d48889e13b56c52f86423b004f175793c933bf712305dc7d27c42bc49fcf0f48d2d6dec454bc43565cfe775d352261caa271c4d3a7d2770e83b349d0e3d7af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
ecd7729aa17c4fa5c80a02ac1b32d6c1

SHA1
97012f82d0f43c1040f7d67079b3b6b67f70179a

SHA256
5fd616fce6a9d0fc60772e2d430d335874755f7a6c4ccc5a64b929a5bed4f9be

SHA512
3f995c29754de5b14e1345b0493917ffed6b57eeee69843beab611509041b25e70c57196f2298369720f68835b9a34fa47a6f1a2fd8cb1cecd764b56819d9ef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
850efe88508753c95f952519b15b037a

SHA1
d8939bae626035dcacde7eec17a8b30733f43998

SHA256
181200c2094846cb32d846fd1e26f3f1490c22c2358649ea39656d4a67f1916e

SHA512
2d3c8f210916257fb45756831baf335c001514d3962d0315957cf84d87c8e9dea5d6148d4501bd93c2dfb908818ad408e99a85dd36b22adcd8459be000b324a4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 637650.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/2108-23306-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-22714-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-1593-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-21122-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-22469-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5432-7134-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5432-1591-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5432-9340-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6060-1569-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6060-1595-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6060-5489-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6060-1594-0x000000000B6C0000-0x000000000B6F4000-memory.dmp

Filesize
208KB

Download
memory/6060-22892-0x000000000B6C0000-0x000000000B6F4000-memory.dmp

Filesize
208KB

Download
memory/18016-28748-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28745-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28746-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28752-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28754-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28744-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28765-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28767-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28769-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/18016-28773-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download