mountlocker | 30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83

Analysis

max time kernel
115s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi
Size

112KB
MD5

ce3969ab935f0f5b1301cd70d2e59696
SHA1

e70d3341a6e2cc8ae0f140075837ceac4453b947
SHA256

30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83
SHA512

20998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36
SSDEEP

1536:y7WSmywADwaY6FIsr4XSZ32tcOGwpin2NI2F4cdJ0DLx0DL:y7WgpDwd6+srGi32tcOGwpin2NMcd

Score

10^/10

mountlocker ransomware

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RecoveryManual.html

Ransom Note

<html> <head> <title>RECOVERY MANUAL</title> </head> <body> <h1>Your ClientId:</h1> <pre> d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52 </pre> <hr/> /!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\ All your important documents have been encrypted and transferred to our premises! <hr/> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. However there is a solution for your problem! We can support you with your data decryption for a monetary reward. Also we will destroy your private data from our premises. And we can prove our decryption capabilities by decrypting couple of your files free of charge. Here are the next steps to get your valuable data back and get it wiped out from our premises: <a href="http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52">http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52</a> * Note that you need installed Tor Browser to open this kind of links. Follow the instructions to install/run Tor Browser: 1. Go to TOR Project website https://www.torproject.org using your usual browser (Chrome, Firefox, Internet Explorer or Edge) 2. Click "Download Tor Browser" and pick right version for your Operation System (this is Windows in 99.9% of cases) 3. Download and Install Tor Browser 4. After installation finished, click on "Tor Browser" link from your Desktop 5. By using Tor Browser visit <a href="http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52">http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52</a> 6. Copy your client id from the top of this document and paste it into Authorization window if requested 7. This will start a chat with our security experts. Please note, sometimes our team is away from keyboard, but make sure they will reply you back as soon as possible. Also, we kindly request you to contact with us as soon as possible. We will start publishing your private data to the Internet if you don't get in touch with us within next few days. </body> </html>

Extracted

Path

C:\Windows\Installer\e57c890.msi

Ransom Note

��ࡱ��>��

Extracted

Path

C:\Users\Admin\Desktop\RecoveryManual.html

Family

mountlocker

Ransom Note

Your ClientId: /!\ YOUR COMPANY' NETWORK HAS BEEN HACKED /!\ All your important documents have been encrypted and transferred to our premises! ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. However there is a solution for your problem! We can support you with your data decryption for a monetary reward. Also we will destroy your private data from our premises. And we can prove our decryption capabilities by decrypting couple of your files free of charge. Here are the next steps to get your valuable data back and get it wiped out from our premises: http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52 * Note that you need installed Tor Browser to open this kind of links. Follow the instructions to install/run Tor Browser: 1. Go to TOR Project website https://www.torproject.org using your usual browser (Chrome, Firefox, Internet Explorer or Edge) 2. Click "Download Tor Browser" and pick right version for your Operation System (this is Windows in 99.9% of cases) 3. Download and Install Tor Browser 4. After installation finished, click on "Tor Browser" link from your Desktop 5. By using Tor Browser visit http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52 6. Copy your client id from the top of this document and paste it into Authorization window if requested 7. This will start a chat with our security experts. Please note, sometimes our team is away from keyboard, but make sure they will reply you back as soon as possible. Also, we kindly request you to contact with us as soon as possible. We will start publishing your private data to the Internet if you don't get in touch with us within next few days.

URLs

http://qiludmxlqqotacf62iycexcohbka4ezresf5jmwdoh7iyk3tgguzaaqd.onion/?cid=d11ebd6225c2dd096733ff8dad28b64333d09f7bceb47017abe00375993d6d52

Signatures

Detected Mount Locker ransomware 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f9a-149.dat	RANSOM_mountlocker
behavioral2/files/0x0006000000022f9a-150.dat	RANSOM_mountlocker
behavioral2/files/0x0006000000022f90-670.dat	RANSOM_mountlocker

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\CheckpointUnregister.crw.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ConfirmBackup.png => \??\c:\Users\Admin\Pictures\ConfirmBackup.png.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ConfirmBackup.png.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ExpandEnable.raw => \??\c:\Users\Admin\Pictures\ExpandEnable.raw.ReadManual.64BD3273	MsiExec.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ExpandEnable.raw.ReadManual.64BD3273	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CheckpointUnregister.crw => \??\c:\Users\Admin\Pictures\CheckpointUnregister.crw.ReadManual.64BD3273	MsiExec.exe

Loads dropped DLL 1 IoCs

pid	Process
2484	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\teyefibowo\ReadMe.txt	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2f0da1e4-1daa-4f86-a7db-09f81873a797.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230222020338.pma	setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICAE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c892.msi	msiexec.exe
File created	C:\Windows\Installer\e57c890.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{792475A9-82DA-4E6B-A6E6-443B78D1084B}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c890.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.64BD3273\shell	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\PackageName = "30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.64BD3273\shell\Open\command\ = "explorer.exe RecoveryManual.html"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A574297AD28B6E46A6E44B3871D80B4\iDAAAF618FF524449BD8193E4A7C12996	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\PackageCode = "B6AA8A37A2DF03A4195563F9732E8294"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Version = "53805056"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E99BE60AB9492F4EB40B1E891C24BA8\9A574297AD28B6E46A6E44B3871D80B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7E99BE60AB9492F4EB40B1E891C24BA8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\SourceList\Media\DiskPrompt = "zawani 3.53 Installation"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.64BD3273\shell\Open\command	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.64BD3273\shell\Open	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.64BD3273	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A574297AD28B6E46A6E44B3871D80B4\ProductName = "zawani"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1364	msiexec.exe
1364	msiexec.exe
2484	MsiExec.exe
2484	MsiExec.exe
548	msedge.exe
548	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
1744	identity_helper.exe
1744	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4804	msiexec.exe
Token: SeSecurityPrivilege	1364	msiexec.exe
Token: SeCreateTokenPrivilege	4804	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4804	msiexec.exe
Token: SeLockMemoryPrivilege	4804	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4804	msiexec.exe
Token: SeMachineAccountPrivilege	4804	msiexec.exe
Token: SeTcbPrivilege	4804	msiexec.exe
Token: SeSecurityPrivilege	4804	msiexec.exe
Token: SeTakeOwnershipPrivilege	4804	msiexec.exe
Token: SeLoadDriverPrivilege	4804	msiexec.exe
Token: SeSystemProfilePrivilege	4804	msiexec.exe
Token: SeSystemtimePrivilege	4804	msiexec.exe
Token: SeProfSingleProcessPrivilege	4804	msiexec.exe
Token: SeIncBasePriorityPrivilege	4804	msiexec.exe
Token: SeCreatePagefilePrivilege	4804	msiexec.exe
Token: SeCreatePermanentPrivilege	4804	msiexec.exe
Token: SeBackupPrivilege	4804	msiexec.exe
Token: SeRestorePrivilege	4804	msiexec.exe
Token: SeShutdownPrivilege	4804	msiexec.exe
Token: SeDebugPrivilege	4804	msiexec.exe
Token: SeAuditPrivilege	4804	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4804	msiexec.exe
Token: SeChangeNotifyPrivilege	4804	msiexec.exe
Token: SeRemoteShutdownPrivilege	4804	msiexec.exe
Token: SeUndockPrivilege	4804	msiexec.exe
Token: SeSyncAgentPrivilege	4804	msiexec.exe
Token: SeEnableDelegationPrivilege	4804	msiexec.exe
Token: SeManageVolumePrivilege	4804	msiexec.exe
Token: SeImpersonatePrivilege	4804	msiexec.exe
Token: SeCreateGlobalPrivilege	4804	msiexec.exe
Token: SeBackupPrivilege	1416	vssvc.exe
Token: SeRestorePrivilege	1416	vssvc.exe
Token: SeAuditPrivilege	1416	vssvc.exe
Token: SeBackupPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeDebugPrivilege	2484	MsiExec.exe
Token: SeTakeOwnershipPrivilege	2484	MsiExec.exe
Token: SeRestorePrivilege	2484	MsiExec.exe
Token: SeBackupPrivilege	4388	srtasks.exe
Token: SeRestorePrivilege	4388	srtasks.exe
Token: SeSecurityPrivilege	4388	srtasks.exe
Token: SeTakeOwnershipPrivilege	4388	srtasks.exe
Token: SeBackupPrivilege	4388	srtasks.exe
Token: SeRestorePrivilege	4388	srtasks.exe
Token: SeSecurityPrivilege	4388	srtasks.exe
Token: SeTakeOwnershipPrivilege	4388	srtasks.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe
Token: SeRestorePrivilege	1364	msiexec.exe
Token: SeTakeOwnershipPrivilege	1364	msiexec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4804	msiexec.exe
4804	msiexec.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4388	1364	msiexec.exe	86
PID 1364 wrote to memory of 4388	1364	msiexec.exe	86
PID 1364 wrote to memory of 2484	1364	msiexec.exe	88
PID 1364 wrote to memory of 2484	1364	msiexec.exe	88
PID 1364 wrote to memory of 2484	1364	msiexec.exe	88
PID 2484 wrote to memory of 2344	2484	MsiExec.exe	90
PID 2484 wrote to memory of 2344	2484	MsiExec.exe	90
PID 2484 wrote to memory of 2344	2484	MsiExec.exe	90
PID 2344 wrote to memory of 2868	2344	cmd.exe	92
PID 2344 wrote to memory of 2868	2344	cmd.exe	92
PID 2344 wrote to memory of 2868	2344	cmd.exe	92
PID 3912 wrote to memory of 3180	3912	msedge.exe	94
PID 3912 wrote to memory of 3180	3912	msedge.exe	94
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 2028	3912	msedge.exe	95
PID 3912 wrote to memory of 548	3912	msedge.exe	96
PID 3912 wrote to memory of 548	3912	msedge.exe	96
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97
PID 3912 wrote to memory of 320	3912	msedge.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2868	attrib.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4804

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 95D1847D0DE960C255BA0BEF16825FE4
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E580896.bat" "C:\Windows\Installer\MSICB5F.tmp""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Windows\Installer\MSICB5F.tmp"
      4⤵
      Views/modifies file attributes
      PID:2868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RecoveryManual.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7fff24fd46f8,0x7fff24fd4708,0x7fff24fd4718
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff75d6d5460,0x7ff75d6d5470,0x7ff75d6d5480
    3⤵
    PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14250233264995788096,17508536512916120099,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c891.rbs

Filesize
7KB

MD5
fe4f21d7f359b7ee6ff9e02ecc155d4a

SHA1
da89f00d18d3425e30c2e087c8f8656226573916

SHA256
6842fbc93177298d22faba5c241ef206b0569edaa72118c289b9b12a04fdee32

SHA512
f115345cf6595c01c7d51471238fd2f0beac11cc1fbd643736665b879d21e3af14dcf50aa7932f939c490aada1f82646d911024eb5d7c832a835e7ef67a445d9

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RecoveryManual.html

Filesize
2KB

MD5
47e04c61abfb33afa5dd09d033a7078e

SHA1
90dc5d9e58b24016e48c022856c4744591fdfacd

SHA256
b732e955590f25abc91ec8a9afa35d9f032a5b65335f47c2b0e8ee06c7499314

SHA512
36a3323a46ea86664560f8dab7d107666089e0534c72cf3a36f82298a433fae8b17492cdff7ddb624423747a7a5ae55b833527aac1142bf79577be52e52deaa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8c9383861d9295966a7f745d7b76a13

SHA1
d77273648971ec19128c344f78a8ffeb8a246645

SHA256
b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e

SHA512
094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
84dfd15dba7b02cbbe8862e45b989aad

SHA1
527f2bfdc0666e3dd476b2668eb824b3c6711ec1

SHA256
223333e2a04e1c5de3ea2f4a5cd0a613a1bc7384457e6f5e2feeb33a0527aa4d

SHA512
d545b0cb4d60b032ed8841ff87088b72820954f3fb2956242e9f8ca56bf75aac857cb27a237d228450c8678e8016e4d5c29560d7471aed24288ea9301a71f968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
51417449b08a25a459bf0eee952a04f3

SHA1
433e8405f374c239f7fe8615a67c240343120183

SHA256
9c4e7b2ac14b01fe69ed5ee89521600ff2b0dece5577d332f5f90e65fc0a93a7

SHA512
9dea50d9b5066bf098c5046f421f5d43819e8c43fa5fa8081d5c60c2e9a4dcffcb75971614b6e713ed97f95dca671308f23f24f88f653b2101236e30925a7051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40850ffee8e6bbb2b663f39d6a5ef309

SHA1
511d2e72941a3b77210b84cac9ac62481810f59c

SHA256
34403c802130a071e2015439c79632aa05ef624c025ae8869d0b87f2d0e569eb

SHA512
97bccade5d3e4c12f5417f5128fe1c6bfd6f116a7307896aa77f365ab201614e300946b4e818e2811dce62c5bbc2fc75b5e9845fc8b3cf6f053438573e6c25e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60b345592703258c513cb5fc34a2f835

SHA1
39991bd7ea37e2fc394be3b253ef96ce04088a6d

SHA256
7e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300

SHA512
0346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
8ad129fbf2980adb7ab0ce882586c659

SHA1
b1c5b075efd3943b5542f01478ea7b70fd457757

SHA256
990a372e74d3cbc3a036c4204990e9c1cac1497f60f917cf3abd6b4d26412ee7

SHA512
4d8263e082c8bb78cee3ba88134d1fde6929a8cdd7d510702f3ca42965f80ecd95e60ecd95909625c583210177ec2b91fcda09b45429f580da6379b84ac0d45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
44c7fde3f1f478a62154f1091a36ec13

SHA1
315e58407023ddbb78af6ae95766d5411385fac3

SHA256
d198cfced35c899931f00598d10f781892bec96cc522c002beb9f76721fce762

SHA512
4a96ebd602aeb3dd769a9e1b9dceca407a9137897378d2e8a12c26edb9ac5bc12ccf83ab21152f9530a7cba6e26488dc8c7dc421e42813928f0056405a52b89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E580896.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7203115c025b8c4f1329815e8f3552b5

SHA1
9a2e6dbfd5d4217d47687680badf74a6adca93e2

SHA256
2390bda0b9e25cfada63f509c6d8e3b0747f3f79a4e44c9634d8ed414097bdc9

SHA512
e39686999ffc7b2b6801f55471c7a63c7cb072e9ee24b6514b6638f2e1172e4840aabf9a8bc22cf144727808943f848e72a7852977bb88ab2095002e37f40437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9c137407507c1ecc53fbbd3938f51aec

SHA1
7af557f8efdf32730b724eed3c6ddeed3f85f916

SHA256
ac452966419955cfcdb7c6ffdd721e24348f446128d1b0f9696cefb613f25410

SHA512
893d8e0c04a2fd82090ff44a830651371aeb1df037b392481937e088af41a5faf019872b4f395fe66bd8980e9ea7b080f2467e1c2053c62e6b8af48073b853d3

Download Submit
C:\Users\Admin\Desktop\RecoveryManual.html

Filesize
2KB

MD5
47e04c61abfb33afa5dd09d033a7078e

SHA1
90dc5d9e58b24016e48c022856c4744591fdfacd

SHA256
b732e955590f25abc91ec8a9afa35d9f032a5b65335f47c2b0e8ee06c7499314

SHA512
36a3323a46ea86664560f8dab7d107666089e0534c72cf3a36f82298a433fae8b17492cdff7ddb624423747a7a5ae55b833527aac1142bf79577be52e52deaa6

Download Submit
C:\Windows\Installer\MSICB5F.tmp

Filesize
77KB

MD5
0aacf2c41ba9b872a52055ffcaeaef15

SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570

SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Download Submit
C:\Windows\Installer\MSICB5F.tmp

Filesize
77KB

MD5
0aacf2c41ba9b872a52055ffcaeaef15

SHA1
c09b509699aeef71f3e205d53c5f4ff71cb48570

SHA256
31630d16f4564c7a214a206a58f60b7623cd1b3abb823d10ed50aa077ca33585

SHA512
d259de51d22d72d27d5947530317661b97ba8fcc36e7a2ad4835e98bc311ef1aa5964f939660733171934f6aefa82d8b76a6f9f04137e1aeca63d592f0fb26ec

Download Submit
C:\Windows\Installer\e57c890.msi

Filesize
112KB

MD5
ce3969ab935f0f5b1301cd70d2e59696

SHA1
e70d3341a6e2cc8ae0f140075837ceac4453b947

SHA256
30050b3673c720729cd6a61803059b16dd3aa526683e7342aae0261e4c78fa83

SHA512
20998be53a994d7adab2b71bafccec1eeb93e356965582161fa1fccea023fbf62b0145adf5e0621118f00a4ea12a71fbb5de2fdd129d92879502a5a3da019a36

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
a2f893e56d27fc9d8325e96fca106fb5

SHA1
ab9fc68a7418dc0186593c69ca579096ea3ce29c

SHA256
9ea9d7d8ed4f6f8f6293d7eaf17fe32c53d1aa662d8294ee2fed0667aca1494d

SHA512
2bfbbffe8a21e8c0b23b70b38c81856dad00ce91200234af5d6fdc7c360d4ddd8b9e60d1b4eb4ba2f48db7c129e37f6f45dc1f8b5a440f7ce6df148ee96cdf11

Download Submit
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a76ce0d0-d27e-4d6d-8193-ffa1a1e79890}_OnDiskSnapshotProp

Filesize
5KB

MD5
f0b08ba5282d88020e4c66d887c37e6b

SHA1
59d50d64a300964e2eb651ab18e9835080ee2bbb

SHA256
7c03c94568b208eaa54ecd2654b5e7b10f8b1f9455f604946d04458bf8a046f2

SHA512
d766991c5d2ba2e5ac5fe112a000dce14054e2d31adde5aa5d156124bc220af703a557dba81b1ab3d0469cb621bb6125cc87767919cbdc3239e880d93b5c9917

Download Submit
memory/2028-684-0x00007FFF41870000-0x00007FFF41871000-memory.dmp

Filesize
4KB

Download