99a14d455baa06e9f30d34d73509ce6bdadeb66cc96b94cfd3f06ff80d07300d

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06/05/2022, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

texi64.dll
Size

280KB
MD5

f2b8daf9be5866844bb5f1a860d4433f
SHA1

6097602f35245926bdcbffcd86ef6f67b2af7bd8
SHA256

e4756dc21114c9de523af307992382dfd0fc0cf7ccf19d5351998c498561ca20
SHA512

b26d90b64bea4b7177d83498efb58d42902e4cc76e9386fd6be6040a5b17d28ed1093b769a4728cfa1e0fdb756c8238a1b8914379b161bf8d6b1f51324a4b73a

Score

8^/10

persistence ransomware

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\ExpandReset.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ExpandReset.tiff => \??\c:\Users\Admin\Pictures\ExpandReset.tiff.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MeasureRedo.raw => \??\c:\Users\Admin\Pictures\MeasureRedo.raw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResumeDeny.raw => \??\c:\Users\Admin\Pictures\ResumeDeny.raw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WaitDebug.crw => \??\c:\Users\Admin\Pictures\WaitDebug.crw.quantum	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CompleteEnable.raw => \??\c:\Users\Admin\Pictures\CompleteEnable.raw.quantum	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9ca9b8fe-4aea-4c97-9636-ce53aee290a9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220506170829.pma	setup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.quantum\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.quantum	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.quantum\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\.quantum\shell\Open	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4912	rundll32.exe
4912	rundll32.exe
2700	msedge.exe
2700	msedge.exe
2228	msedge.exe
2228	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
2304	msedge.exe
2304	msedge.exe
1236	msedge.exe
1236	msedge.exe
4628	identity_helper.exe
4628	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	4912	rundll32.exe
Token: SeDebugPrivilege	4912	rundll32.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2228	msedge.exe
2228	msedge.exe
2228	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3568	4912	rundll32.exe	83
PID 4912 wrote to memory of 3568	4912	rundll32.exe	83
PID 3568 wrote to memory of 5076	3568	cmd.exe	85
PID 3568 wrote to memory of 5076	3568	cmd.exe	85
PID 3512 wrote to memory of 2228	3512	explorer.exe	97
PID 3512 wrote to memory of 2228	3512	explorer.exe	97
PID 2228 wrote to memory of 3752	2228	msedge.exe	99
PID 2228 wrote to memory of 3752	2228	msedge.exe	99
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 4820	2228	msedge.exe	102
PID 2228 wrote to memory of 2700	2228	msedge.exe	103
PID 2228 wrote to memory of 2700	2228	msedge.exe	103
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104
PID 2228 wrote to memory of 1084	2228	msedge.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5076	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\texi64.dll,#1
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E568F64.bat" """
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h ""
    3⤵
    - Views/modifies file attributes
    PID:5076

C:\Windows\explorer.exe
"explorer.exe" README_TO_DECRYPT.html
1⤵
PID:3436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x78,0x80,0x100,0xd8,0x124,0x7ffa059346f8,0x7ffa05934708,0x7ffa05934718
    3⤵
    PID:3752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:3568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5792 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
    3⤵
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff734885460,0x7ff734885470,0x7ff734885480
      4⤵
      PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1512,961120937237091852,8435560977617345753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2480

C:\Windows\explorer.exe
"explorer.exe" README_TO_DECRYPT.html
1⤵
PID:4760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
  2⤵
  PID:4564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa059346f8,0x7ffa05934708,0x7ffa05934718
    3⤵
    PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059346f8,0x7ffa05934708,0x7ffa05934718
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11156201328105344499,10306388742742764919,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:5184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57df4904eea85aeb7b4d9b9d9130ecad

SHA1
f6b26bbbf2a5f6645e1a400b49a8bb1c346a0cc4

SHA256
ad7f7e5f652cca952b91effac780ae3f46aa02eb9de5f18340d8f55efd8a4c68

SHA512
9ee0ab6f4e4a55f748e0177bbdac33c824c2b02cd3110fd3a0545f5885a6e4da6da3eb61f30880e5a30b29eb33274cd518f548b527f9da9cd74c8413bec57f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1207fe6ed5b1f2d64f20d3373ffee572

SHA1
a21769f0c598f69cad33003be73442a01e60e332

SHA256
3c4ee766be777f7b19c965c2db99a3e75a5a9e814efc809554d1c318bae2bd47

SHA512
8fe7bd82a3a04a06e1e3b3438a5c185eebb1a1f0099acdf58b49868e6011960464810b5db97fc5dbc7ee2462416366fdae6fd203cda4389aebc3101509f58751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
1207fe6ed5b1f2d64f20d3373ffee572

SHA1
a21769f0c598f69cad33003be73442a01e60e332

SHA256
3c4ee766be777f7b19c965c2db99a3e75a5a9e814efc809554d1c318bae2bd47

SHA512
8fe7bd82a3a04a06e1e3b3438a5c185eebb1a1f0099acdf58b49868e6011960464810b5db97fc5dbc7ee2462416366fdae6fd203cda4389aebc3101509f58751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
281B

MD5
d7cf0b90cbd042830b961ae1ace5259b

SHA1
fd294b761a0ccc18b1551e39cdfcfedf1825c3bf

SHA256
fc844beb30bc9ac60ebf7343c6f408f59bdcc881759d7a802956d39eaa863dbe

SHA512
10b8c51ffda85e110142505bf95438043d764cd8a657f4b843addc750587873bd12b4ed674562aadf2e4211470995dc4f4582eff0db6424e66fa5ef968d761d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
3859200137af68b8c8f54cc934707316

SHA1
2520a8c3987ba84af5ccfb7b357f5ece8b430ddd

SHA256
332952e6c73ecdb148072de03e46cac34b814fad4e26738777f3eca2a87a2109

SHA512
cec26aaea5a49d6072f7c8cd4affcfad37cb762551dab5104d3f025eef66d9448b7f593c382d62387751fa2d6659d1288573ecc1439d587b90b2ed223d43a9c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
34cfeafef06252143fa5f64099a0f0b5

SHA1
9404ccd1e132d08444ac1d05c2c5fa8bb20c15b3

SHA256
a58514b7a7d7ac1b3a15ff175c4cf17f71f6c48aa0c14c354bde5fe951c79c71

SHA512
5842e1565c19388c0b82b160a2e889b4bebb04ee4a0b001464607de88b5706db73986a40c8737dd7c64ed36fac1ffdfa0cc8175e0585a96071a31210597e6bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
627B

MD5
24865f8ed98ba15d9fea5b1b0d17bad0

SHA1
89d912e8899599d76b0e68e884fdbaf1fded0f44

SHA256
7d992cc07c0d2c879222f7c3f4aaf1ba6f398e37ed8de7190dcad5fded2405d0

SHA512
681cbbe137891a4401e990f925805812afb8d9e5a0d9358e3d09680d0ffc602b9c986c0bd4994378501a85d07bcfbfe18c0d2345346c6dd01f2c40ce27cdd18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
28366ef799970a7943804c6dcaa750e8

SHA1
00575f123a0a37d0f9330d20515f8f836950bd94

SHA256
6c2b58af1f0fd403e8a2068500c9a28a51e4ea61db5a8267d20123f54bf918aa

SHA512
024f954030d5ea63d2d412b3093300b697139d38a302b4afef1d1747985154121ee12aa21137f2b90927d42926a5ad2323648bb06b87e05c776951f7247743e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6baf05e961642bfeca475e874246c92d

SHA1
8a7c57a9df5ccfc9be5a864a714a9f392ee8fc47

SHA256
35a8af06129412d60688c43b9855a8190049d1f4aee1e016286bbea4a5b45d6e

SHA512
0e40cf6b405df1d9b2dda5d385e564dfbd68c6f2e319d6969c737919bde3db14e4e2c6a299fbbb4de8d4d8df03e74c43488f776430692161b28bdcf93de0cbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8741731c92531402bb0d53a1b718cf8a

SHA1
620ae6811c5907cb494e79db2fd81c15aa2341e6

SHA256
e188aed486801738c34cc8804b5a6c0a4b3176bb6a2407b68a8500e983533fea

SHA512
88df8cc765e4ded89a64756148f4b60d32ba0ac430789598550d0e3625e1917d520f87459f3b14fe6ffa224ea8ec377991790bef3b1dac19e22053ba67d96f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
279B

MD5
a344630c76fe65e019db2403c1969be3

SHA1
bb4a42060355e38db439818c3975236f0669fe11

SHA256
8d49033adc6d6cd82c0c9d1a1e8cc4a77bcf93b1448b341a4c02884ae5db9027

SHA512
2b19b6cf2e1fba5af52cb0f397338bd97f28b2c5b7a5013602f73fb5ae5a66e199fa840cc74ab94da12e6d9bcbd6563072ddcfe1ae5fac878360bc1583d2f6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13296330511577185

Filesize
1KB

MD5
74672a81441e6e51e25aeccb0f3ad0ac

SHA1
230277238d25a3dc238dd97d7ba21343dc279e03

SHA256
a016be6ddb2ebd91f5dfb784fb55707e2b926d60f92b1f35338d4765b46a23b6

SHA512
c5343b2f82cfef5419965618c73f6de8407c5984912896d67901d9624769d61c3d8ba9180e64b277d2e51e05345330d3ebfe03f3d6bd2d933cee89f52443d406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
ae2973476ca9f71ad31ffdebe53d3b8a

SHA1
b9bea662c39510f9032ddcbaca1821ffab5d106f

SHA256
cb3ef08a9ed279247906f91b7fdd1b7a6dfec178e44685a97efb2544170e58b1

SHA512
c2195770482d0b23076e98bc89c189b600874eebaf617943ad3c88d74e9a703b050ec2d3adb80a5642f74f7625e2ee396497701a4a3350e7dfe777be631daa47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
678bebc960a9cbdecc9989fb10ff469a

SHA1
780a0ae4dc36670c5e65c5aeeef1e136db503745

SHA256
f11bc3d1eb4bddea7527164ab06c269c9bf13251aa9bca448387a873341a43e1

SHA512
259ee5f6f1baa903f02f7ae9a156a5937f762127eeb4a5af3c9f86bfcb9c49fb7dd63acc560242aadf1e92a89d67b5714b2fffa81f205066d002094bd51639c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
f23dcaf826e9736d5a78365f955c9b4d

SHA1
9fbac1d9e7e601c4e6061cf92e1cf0e2a40190d8

SHA256
c9409f9f6458155032cd9e0b9f7e2a23de941d0186f7b63aac01c1a828c19ba1

SHA512
33edaa5376f31c58556628d42abf0fb017a2089e9fa3917638a1640c47abb64538067c57ab263e234239a7ef6acdf812cab48750979558e7df98f4b9f0b75b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
9799920c1ca0b54a411291fb11932c7c

SHA1
76a015eeb9afe54a8cda9ddc72536db78b061578

SHA256
3c02398d84c8d4a0ada2945148584742d5da8ce51663a3f06903dab0ce213a08

SHA512
a18c70442a67c92dfedc68d9c694f9852d2954a5252ec733efe06bedab2a338fddefc242a49c609fd3e9e3d9b319ac9bf028db42500297d75b0fb108cbecb75e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
66c55bd9fb067aea7771839386305259

SHA1
c7a0ce4aea8c76117a362908ae406e122cc7bba3

SHA256
cc07acff4bc75c6e7a6baf19455b603504dec47c7232856da44d969bdfbdf5f7

SHA512
e62dc3a27018e18b31c8558215e571a693ee05c8db99cd8acb2da0ebb273d2efbd7235c03e672874c6d316df97b6e2a9b4f857a2d6080791810753123e7f0288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
281B

MD5
5a2e319b29265e86c835d81621138091

SHA1
25171ab4ff00efd116b52a13d1c454abf26a0a3e

SHA256
23800c3660cea0f967f47b79fb80c12dbf1ab5bb4bae228ed110e0a8aa6c8e42

SHA512
069207a89155e19657fd09163c81ac3cad1673e0803d9fcbe36c44ed33acaf4901572761ffa30612c1108eec2372c11cc079e804011f2d9593274a1ffcc8f9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
531B

MD5
ab863439c9f8478dc396057d885ed26a

SHA1
233de80912615fe2b317c6c52dc3191ec3fdac81

SHA256
e2b716ab6087cf49da5c527eedb651d5091cdb5bee86c346e66f49af8a171531

SHA512
10b7154fdb9d75103e73e72be18d00b8a9127a2e7d9d67460711ecb5e812632dca95bab205080e8b2e17860d8480b1f269b96192d9410060c1264234cf2e1c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
299B

MD5
2c3f956630d9c86b34c1c095ee9231e6

SHA1
f8ced0a6d2b827de7766db2608d803be3458a5a1

SHA256
1de1babd328511979357115944da98eeabaac2675c362d2d37976b54f7e22d1e

SHA512
f451c0f24e8568313c11dcf741fcab859493e7ed8619e38c1b262190707d5d3824665e563681d4901cb77f53d4798c2c582c94241395d8f17678f8cea9cd091b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
77fa3b637ac518bce2ea1c3cb46bf02c

SHA1
7353ff11f1a9cee879ce7b9d4f28754aed558721

SHA256
ef99b516e1db78031e3ba7f716fde023f0f313cebc685b23c78872dd06c04dc9

SHA512
de9cd22692a6cca9c19eaaf0e06ee877ddf79c5e0c63c52befef3a4f0796111d08736511ea4d04ca3073bb2a6cb5e8b80db0aebb8867076fd67ad266e1989ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
f9be696ad1049dbd9efb8e0349ad5d04

SHA1
871db7d1f44ce1d9a41bf251673c6639c965294a

SHA256
787a1ee24fe443db05a792e4cfa9ee359e7e5412b4bd9a3b89e24dbdfeba8860

SHA512
d0e6f0902ba55e2af324f408e58e557768dedc1ad97352a4d050529bf21a4461e67188a36bbb9679585fb8b56f798bbf36a2e5e2a5586b3b21cafdff4fb3d946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637874429925389146

Filesize
7KB

MD5
533a1b09aadcfbb4b389ea0cef3a4a5d

SHA1
30bbfb9ea5067e18a4381265f277c5b86e9430e4

SHA256
625249be4a50d48979b5f136e3e28a67b3a9f4c738bbe048c93d855801715e2a

SHA512
2fce3d9bd08b0f4a40110087ec0244d6442e7b746e2a819526a4415eb3029041c5eb2cad3db1bb285f4582d37b8c1f74982e11f41d52af794cc2ab4018d0c57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684

Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\.log

Filesize
64KB

MD5
d9a4be075e02fe0b8ea7507bee4170f2

SHA1
19b78a336adb596813445899576892207a833880

SHA256
d70e08ae3419bec3bbcafc4ece86191f387e7271639834a1a1c4a6ca1355270a

SHA512
d92ff709d3ffa1f01cff78197f571b17e6a6ba0fc078477305271a33e7624f78ff54bac32f7519bcd2d629d2c57a3b10791038c8bc927b4eab68d747a620bc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E568F64.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
02f2566fd4fa0657bc007d174be2b3ef

SHA1
4e54f4882dd62a5201d8d3c2c3f10a5c38744b98

SHA256
d3c9b2dc8ec1c181f9fc9838a55d4ca43de0068bcc068bbf1a0dba3d51a55d2b

SHA512
d3076e1878b88699210346b55d0a0e808490de5b9eef3afd62664ac63bef788a59a259416a5c492af328c4825c523809efe422d091ac12a4918597fa19fa556c

Download Submit
memory/4912-130-0x0000010180000000-0x0000010180018000-memory.dmp

Filesize
96KB

Download