Analysis
-
max time kernel
126s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-04-2021 07:47
Static task
static1
Behavioral task
behavioral1
Sample
Gr_rs.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Gr_rs.exe
Resource
win10v20210410
General
-
Target
Gr_rs.exe
-
Size
678KB
-
MD5
7684408e648ed2c462817083cd61d6d5
-
SHA1
8dc1ba94b3b2996dcf45aa2b73730ff636fbed2e
-
SHA256
b0f6d7c7a168f77b93aa42d7dc22a0118f98f525c14272467ff37c34217417d9
-
SHA512
00224011cae9e86fac9f394b52b5267166f3bfc6ac6fe34594aaebd53c74f64f716bebdf1e9ad30072d0f800e22680597b766aca8dcc0d57c9f43d39092b7f55
Malware Config
Extracted
C:\Users\Admin\Desktop\Recovery_Instructions.html
medusalocker
support@imfoodst.com support@securycasts.com
http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-c5EO4jlAOS7D8NCgbfZhNaL4wpxKeGEy
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Gr_rs.exedescription ioc process File renamed C:\Users\Admin\Pictures\PingInstall.crw => C:\Users\Admin\Pictures\PingInstall.crw.rs Gr_rs.exe File renamed C:\Users\Admin\Pictures\PublishUnpublish.raw => C:\Users\Admin\Pictures\PublishUnpublish.raw.rs Gr_rs.exe File renamed C:\Users\Admin\Pictures\UsePing.crw => C:\Users\Admin\Pictures\UsePing.crw.rs Gr_rs.exe File renamed C:\Users\Admin\Pictures\ConvertFromClear.raw => C:\Users\Admin\Pictures\ConvertFromClear.raw.rs Gr_rs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Gr_rs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gr_rs.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Gr_rs.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini Gr_rs.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Gr_rs.exedescription ioc process File opened (read-only) \??\F: Gr_rs.exe File opened (read-only) \??\G: Gr_rs.exe File opened (read-only) \??\N: Gr_rs.exe File opened (read-only) \??\Z: Gr_rs.exe File opened (read-only) \??\B: Gr_rs.exe File opened (read-only) \??\O: Gr_rs.exe File opened (read-only) \??\P: Gr_rs.exe File opened (read-only) \??\Q: Gr_rs.exe File opened (read-only) \??\S: Gr_rs.exe File opened (read-only) \??\Y: Gr_rs.exe File opened (read-only) \??\H: Gr_rs.exe File opened (read-only) \??\I: Gr_rs.exe File opened (read-only) \??\L: Gr_rs.exe File opened (read-only) \??\T: Gr_rs.exe File opened (read-only) \??\U: Gr_rs.exe File opened (read-only) \??\W: Gr_rs.exe File opened (read-only) \??\V: Gr_rs.exe File opened (read-only) \??\X: Gr_rs.exe File opened (read-only) \??\A: Gr_rs.exe File opened (read-only) \??\E: Gr_rs.exe File opened (read-only) \??\J: Gr_rs.exe File opened (read-only) \??\K: Gr_rs.exe File opened (read-only) \??\M: Gr_rs.exe File opened (read-only) \??\R: Gr_rs.exe -
Drops file in Windows directory 2 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 496 vssadmin.exe 3480 vssadmin.exe 1092 vssadmin.exe -
Processes:
MicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "s0i51m2" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000077cc84faf06d4c5a1c27a14987a9aa6ff8eaf84d39d03c14c8d7d8cd86a1d5c2fcec4fc34b029bb2fe619f258e816c9c85d5d16ad94e3490625 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000ddbeb80d2d164626bb0dbc6d0636f0ceb594c103b2e4731eb2b0991be4186292be7cbba1427cc49e54f9ef55cb0ea3552a2bcd163cc174c86c3a11eb9f1b76599a93e3d6dad7dfe1ce07e06250842330acea08f271233e9b3235134af8cbeca2d7a3c10041484d9ff6d6a5849eb6cb8ee972210c082af626ab4080b0c248c58c7d4c5e304cedd760df067e0d26c6d3605164cfe8d0f52ce13afdfab6adb2aa67642e0239dae7a1747c38b05a98d2afa78a5e1529dda6b0f9c80abf9796297b257ae9e548f156be2b180a1c4150fcf09560021d2a265cd57c8e0953c4ebcd68ab041d7a0e665b9b64151dec47fb626f80c8eef831283788ca4b99a484e2bedce61d6ae46e6c1471697f119aa03226079e81c3ba2dca56875adc5962ac9d1cd3b52b70c4cddda26d1dc0864188ad66fe9a34220404cbdbaacffaeb495a9107b19ed2cefce1c1254073bc1ce5ce3744c8f2a2a9486fd4e57b5d31ee52ce899f045bf326601c0bbed142ba73cc71a5de76294cfa826c2d94177a990154497005ed2ece17939ff98bc55d7c2cd04a1b561cc493b3f63d1e08a8e8d480cd6860192e49d33053e2e7c9 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Gr_rs.exepid process 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe 2112 Gr_rs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 4148 MicrosoftEdgeCP.exe 4708 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewmic.exewmic.exewmic.exedescription pid process Token: SeBackupPrivilege 2648 vssvc.exe Token: SeRestorePrivilege 2648 vssvc.exe Token: SeAuditPrivilege 2648 vssvc.exe Token: SeIncreaseQuotaPrivilege 2452 wmic.exe Token: SeSecurityPrivilege 2452 wmic.exe Token: SeTakeOwnershipPrivilege 2452 wmic.exe Token: SeLoadDriverPrivilege 2452 wmic.exe Token: SeSystemProfilePrivilege 2452 wmic.exe Token: SeSystemtimePrivilege 2452 wmic.exe Token: SeProfSingleProcessPrivilege 2452 wmic.exe Token: SeIncBasePriorityPrivilege 2452 wmic.exe Token: SeCreatePagefilePrivilege 2452 wmic.exe Token: SeBackupPrivilege 2452 wmic.exe Token: SeRestorePrivilege 2452 wmic.exe Token: SeShutdownPrivilege 2452 wmic.exe Token: SeDebugPrivilege 2452 wmic.exe Token: SeSystemEnvironmentPrivilege 2452 wmic.exe Token: SeRemoteShutdownPrivilege 2452 wmic.exe Token: SeUndockPrivilege 2452 wmic.exe Token: SeManageVolumePrivilege 2452 wmic.exe Token: 33 2452 wmic.exe Token: 34 2452 wmic.exe Token: 35 2452 wmic.exe Token: 36 2452 wmic.exe Token: SeIncreaseQuotaPrivilege 3528 wmic.exe Token: SeSecurityPrivilege 3528 wmic.exe Token: SeTakeOwnershipPrivilege 3528 wmic.exe Token: SeLoadDriverPrivilege 3528 wmic.exe Token: SeSystemProfilePrivilege 3528 wmic.exe Token: SeSystemtimePrivilege 3528 wmic.exe Token: SeProfSingleProcessPrivilege 3528 wmic.exe Token: SeIncBasePriorityPrivilege 3528 wmic.exe Token: SeCreatePagefilePrivilege 3528 wmic.exe Token: SeBackupPrivilege 3528 wmic.exe Token: SeRestorePrivilege 3528 wmic.exe Token: SeShutdownPrivilege 3528 wmic.exe Token: SeDebugPrivilege 3528 wmic.exe Token: SeSystemEnvironmentPrivilege 3528 wmic.exe Token: SeRemoteShutdownPrivilege 3528 wmic.exe Token: SeUndockPrivilege 3528 wmic.exe Token: SeManageVolumePrivilege 3528 wmic.exe Token: 33 3528 wmic.exe Token: 34 3528 wmic.exe Token: 35 3528 wmic.exe Token: 36 3528 wmic.exe Token: SeIncreaseQuotaPrivilege 3852 wmic.exe Token: SeSecurityPrivilege 3852 wmic.exe Token: SeTakeOwnershipPrivilege 3852 wmic.exe Token: SeLoadDriverPrivilege 3852 wmic.exe Token: SeSystemProfilePrivilege 3852 wmic.exe Token: SeSystemtimePrivilege 3852 wmic.exe Token: SeProfSingleProcessPrivilege 3852 wmic.exe Token: SeIncBasePriorityPrivilege 3852 wmic.exe Token: SeCreatePagefilePrivilege 3852 wmic.exe Token: SeBackupPrivilege 3852 wmic.exe Token: SeRestorePrivilege 3852 wmic.exe Token: SeShutdownPrivilege 3852 wmic.exe Token: SeDebugPrivilege 3852 wmic.exe Token: SeSystemEnvironmentPrivilege 3852 wmic.exe Token: SeRemoteShutdownPrivilege 3852 wmic.exe Token: SeUndockPrivilege 3852 wmic.exe Token: SeManageVolumePrivilege 3852 wmic.exe Token: 33 3852 wmic.exe Token: 34 3852 wmic.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 1580 MicrosoftEdge.exe 4148 MicrosoftEdgeCP.exe 4148 MicrosoftEdgeCP.exe 4460 MicrosoftEdge.exe 4708 MicrosoftEdgeCP.exe 4708 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Gr_rs.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process target process PID 2112 wrote to memory of 496 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 496 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 496 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 2452 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 2452 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 2452 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 3480 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 3480 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 3480 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 3528 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 3528 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 3528 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 1092 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 1092 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 1092 2112 Gr_rs.exe vssadmin.exe PID 2112 wrote to memory of 3852 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 3852 2112 Gr_rs.exe wmic.exe PID 2112 wrote to memory of 3852 2112 Gr_rs.exe wmic.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4148 wrote to memory of 4212 4148 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4708 wrote to memory of 4772 4708 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Gr_rs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Gr_rs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Gr_rs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gr_rs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe"C:\Users\Admin\AppData\Local\Temp\Gr_rs.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logMD5
77358288a63c83d3b9d042c28ac9d8fb
SHA19213d9e0ac7fadf797bcc660b9035331735f8fd6
SHA2569802e00285e47df1190917a681067f6e93cd067a70292b388891be1bb451ab8a
SHA5129c6265ea1540331ab67e2c3b3f78a5a126e9fc1436df7b9bbe6f4977e4e7151dc1c94497a460e799b2316f28f94afb3f30eaba14b89381a9d00d3d072f8061b7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkMD5
ba306bf7897b8b5c7ea594adda251554
SHA132a2a66af0b35114500da76d1baea7f0f46055a7
SHA256941299067cfe8ef3a45b2719cdbcd862fff890644624c15d18f20474f5b1b17b
SHA5128ccf01009b101fab0e59ccc7efc12dd72cc14cf9f3d9e732e1588d5f72f685b744d656643147f59819e07016707ebd20825f8d65d20927d7bc8c056fea12c724
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbMD5
641e386bb107cafc0f150402a13787e9
SHA1155ecd760c5186abc08edbc3e21175db77ed80da
SHA256c93eb5af7dbb3895f6958e566cb289ff2e243f6d0ed85ddd6a3af53fb4c342fb
SHA512a28ffffd30c8ea42eef0cc008e9c0774cdf38d1a9679d1299f22bdff9221f7223979cae65f913fbb0aa17d6d4f57aa7fdf52d3abc159a6132970938de051a646
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmMD5
9401f6e95559dcb40cc88d13a402cb6c
SHA16e444d35343a42a3f0cedc25f71bdfa27ea9b190
SHA256e9010285b4d96b1628ef891d083106ecfb4d93075a3b037a22ff846206ba254c
SHA512646d45dab75d36dbab4b997777b068044a63418487db20d004dcb233c5724f637b0fe37fde4b2fb437e2c0ba73321f3cdb3434a9506797de6107f37112ce5ef9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{4D6F6E5B-603B-4A35-A142-62EDB5739F6C}.datMD5
e4c094a3f23d10f3257a0afe5016eac1
SHA1c0f724552700dc15e2c100786b0c000549a00a32
SHA256e1cf4fb3bf8d80246c0d3feb463e2b9ca81e84922f990b69976bc4457d6ab819
SHA5121bf2a5358952269247f2b9278e85c1fe5adf4fa9de1c8cf64647ee4fdc5e8027ff6f114974d20dcaacbf685caca8e1a13a82c249f5f7a15b74ed8065c2da8e74
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{1A42B863-F8AA-4D4A-A7E9-45B138A18888}.datMD5
c6032bcfd17b05bb8c76a041d9301afb
SHA17ca73656cd16d8ac7857383fa0ee8194b634d749
SHA25675b738bd5c3a350e702c88e4a302a73d7297fea038887bc343874336ecca4659
SHA51222e36b94696a0f5106f332d1ead9720f8b26c89359ea9682a15a2b3e06c2df34345dca8460a24d4240aa1026ad9f2949cbb0c00ea3612659b5b0cee8060aa381
-
C:\Users\Admin\Desktop\Recovery_Instructions.htmlMD5
bdbd1767eb0328efa1bab608cf2bb9c4
SHA1680be04d7df36b035f88006d6e636cf70d6e74d0
SHA256e2273a0e6086985635b54b78ced76e92a7e4295b8346993d49ebda3b3f018020
SHA512b69fb25b867087f18e06f9a679fe96b113f484a54e91b91ece606d2817e35c3c776c15e359a0d74c9cacf996ecbcbc3ec042ae4d8c6cfdd6658741b212a9aac0
-
memory/496-114-0x0000000000000000-mapping.dmp
-
memory/1092-118-0x0000000000000000-mapping.dmp
-
memory/2452-115-0x0000000000000000-mapping.dmp
-
memory/3480-116-0x0000000000000000-mapping.dmp
-
memory/3528-117-0x0000000000000000-mapping.dmp
-
memory/3852-119-0x0000000000000000-mapping.dmp