Analysis

  • max time kernel
    270s
  • max time network
    263s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2023 05:13

General

  • Target

    053680ED933D58F4150FFDEFAC4D9F13.exe

  • Size

    669KB

  • MD5

    053680ed933d58f4150ffdefac4d9f13

  • SHA1

    69c4a4ffb650a6fdfe343d6acca3b988647aee30

  • SHA256

    af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266

  • SHA512

    4ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2

  • SSDEEP

    12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DnKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWmKrKe

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">84EC80E89115B654DFAC3F45D62398DD2A43908C9550C56D162791692A8773564397836BA48770299A196F4E133EB17913A98A71F893B37855186B4C625622DC<br>0DBF18F672DC579F24979BCB7981BA753C4E7931ED27B84BC8D9E486098278D97F6484D784BD399263E77B30F9FE652BA7C2BEA31EFA95E4936E0C83DA49<br>858F3C73EE12D1192FF81CC3423D68DE13F1AB77B7D6BA35E71D59B7C0D896ABA3F6E5945A3F78871D9CE93359F66E21F470604CA449ACC18440DE93AF41<br>2C49CED0B241EE7A6A1AE9F353B4FFF7B94F602159D3B09AFCD5C14E30D8880C43E06DDD4828B6D02BA25AAACA2EFC1DB9574168C35C11B96816A09EA10A<br>5141EF81CB72B7499DA00EFF97C916FD1005F1A022D64D3EF7675C165A72538505B6EA29DD3684F70998C00A3D62AC1E05131384B05920E6C28905E85623<br>08C17539045550F4A972ED13F072490F754E1FF79A232B9DBD5D3926E879F22BD32B7DD6CFB27F0356EE03791AD6EB567ECD49428FB2FD32EB8E05AA44BA<br>2144A096347409F0F0FAF728674B1E05FBDD3C6DB89D811B3079891FEE915DAC929FC82BB447B9712C8F808663C17F153A246D08DE52D5BB427AC0A25F23<br>A31F4F4FE2DE5BDBC827C09896AA3B23B148E18598B37EBC45ABC3E97BF6485790BA015ACA2A844A8BEE263A963B60193F20FBEDC5B15D758D40C0825B4B<br>390C3E330CB4F0E0FE4419A32483</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Family

medusalocker

Ransom Note
Your personal ID: 84EC80E89115B654DFAC3F45D62398DD2A43908C9550C56D162791692A8773564397836BA48770299A196F4E133EB17913A98A71F893B37855186B4C625622DC 0DBF18F672DC579F24979BCB7981BA753C4E7931ED27B84BC8D9E486098278D97F6484D784BD399263E77B30F9FE652BA7C2BEA31EFA95E4936E0C83DA49 858F3C73EE12D1192FF81CC3423D68DE13F1AB77B7D6BA35E71D59B7C0D896ABA3F6E5945A3F78871D9CE93359F66E21F470604CA449ACC18440DE93AF41 2C49CED0B241EE7A6A1AE9F353B4FFF7B94F602159D3B09AFCD5C14E30D8880C43E06DDD4828B6D02BA25AAACA2EFC1DB9574168C35C11B96816A09EA10A 5141EF81CB72B7499DA00EFF97C916FD1005F1A022D64D3EF7675C165A72538505B6EA29DD3684F70998C00A3D62AC1E05131384B05920E6C28905E85623 08C17539045550F4A972ED13F072490F754E1FF79A232B9DBD5D3926E879F22BD32B7DD6CFB27F0356EE03791AD6EB567ECD49428FB2FD32EB8E05AA44BA 2144A096347409F0F0FAF728674B1E05FBDD3C6DB89D811B3079891FEE915DAC929FC82BB447B9712C8F808663C17F153A246D08DE52D5BB427AC0A25F23 A31F4F4FE2DE5BDBC827C09896AA3B23B148E18598B37EBC45ABC3E97BF6485790BA015ACA2A844A8BEE263A963B60193F20FBEDC5B15D758D40C0825B4B 390C3E330CB4F0E0FE4419A32483 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

  • MedusaLocker payload 2 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe
    "C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2924
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1956
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3472
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9308846f8,0x7ff930884708,0x7ff930884718
      2⤵
        PID:2184
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
        2⤵
          PID:4416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
          2⤵
            PID:2168
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
            2⤵
              PID:4636
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
              2⤵
                PID:4136
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
                2⤵
                  PID:1112
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                  2⤵
                    PID:2112
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                    2⤵
                      PID:4708
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
                      2⤵
                        PID:5080
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
                        2⤵
                          PID:2732
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                          2⤵
                            PID:2172
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                            2⤵
                            • Drops file in Program Files directory
                            PID:3140
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6fdf35460,0x7ff6fdf35470,0x7ff6fdf35480
                              3⤵
                                PID:3440
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
                              2⤵
                                PID:2000
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 /prefetch:2
                                2⤵
                                  PID:2964
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:5064
                                • C:\Users\Admin\AppData\Roaming\svhost.exe
                                  C:\Users\Admin\AppData\Roaming\svhost.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4952

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  aaeb1f5e097ab38083674077b84b8ed6

                                  SHA1

                                  7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

                                  SHA256

                                  1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

                                  SHA512

                                  130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  1db53baf44edd6b1bc2b7576e2f01e12

                                  SHA1

                                  e35739fa87978775dcb3d8df5c8d2063631fa8df

                                  SHA256

                                  0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

                                  SHA512

                                  84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                                  Filesize

                                  70KB

                                  MD5

                                  e5e3377341056643b0494b6842c0b544

                                  SHA1

                                  d53fd8e256ec9d5cef8ef5387872e544a2df9108

                                  SHA256

                                  e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

                                  SHA512

                                  83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

                                  Filesize

                                  2KB

                                  MD5

                                  cd0d05e6e78db00fd46c977f4a2cac59

                                  SHA1

                                  b9b7014c3e34b7d6d99500974c47f7697cdd0f58

                                  SHA256

                                  cf95f89e9cacdcd6761abc7214e9bea838391122bd237e7fb6b7833cf948a3bd

                                  SHA512

                                  ee63c6ce4c65cb5a29732027982bdc2e8af8bf12ef506b9b21613537c2b6fe16599c9f27229e530d97d6326b1849a39937cfc73b74b9c19b05b2c43ba62080f2

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  111B

                                  MD5

                                  285252a2f6327d41eab203dc2f402c67

                                  SHA1

                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                  SHA256

                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                  SHA512

                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  262da57af55047c1401e3f232ed139aa

                                  SHA1

                                  2787eba07f520c28f6c599a96c0bf6417f231eb3

                                  SHA256

                                  1816ba07dc7a2ac90f60ccf7eb15fbabbcede3e72d5c4b0ef5e2caf75dea946d

                                  SHA512

                                  54a1c7175814d79cda92a950d0d04f8d885159d1bca0f26cf91710b6db37f87064a178225ba9d570aeec2c79195183d642990d941807635fc29da92a2285c9e0

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  716a1628dae76b9d828a0a965a9311d5

                                  SHA1

                                  5253a225cdabf9d616c66af1cd01e26f30489740

                                  SHA256

                                  785d9682482586af9aecd49734d5e8250f18704215d3afedcb90ae583ab7f4f8

                                  SHA512

                                  d8c610c06062ecd021f68edd4249d3ca7b1bc14ea908bee755b668014a4cf6c358230e2b57b7cee344af5dc239fdb34739cb67647ff4ea7d826201f04a7e89ec

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  4KB

                                  MD5

                                  1dcc2e033ef540f3627ddb9f2c65e5ab

                                  SHA1

                                  eb53cd9a97eb07f0a2ae34c474a201028b90db39

                                  SHA256

                                  1964e83343e832d2906df6eb6d1da94b3c6608511884bf1f0d928842a944a4dc

                                  SHA512

                                  47550b0892db96b0755c9124370b7f4a4d26aba94b6689c3720ae152952d095044297f79ee1448f66226862a4c535f7f0fa2e5284c4c58a794dc9b43ce882b9e

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                  Filesize

                                  24KB

                                  MD5

                                  47e94a96372e6f095b8a3fd7edc48ec0

                                  SHA1

                                  377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

                                  SHA256

                                  15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

                                  SHA512

                                  5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

                                  Filesize

                                  41B

                                  MD5

                                  5af87dfd673ba2115e2fcf5cfdb727ab

                                  SHA1

                                  d5b5bbf396dc291274584ef71f444f420b6056f1

                                  SHA256

                                  f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                  SHA512

                                  de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  9KB

                                  MD5

                                  e6e3d78662ad20a566804e29262151c2

                                  SHA1

                                  75465e344887b8c86732444c5781184036987cb6

                                  SHA256

                                  5985fa1e0b4adc142f7c3d1a75bf4b0751298f688173d6d0599ae8bda24a22fc

                                  SHA512

                                  138c1a31c1f48ae63abcf78bbe49a5f0972b2a17d1cd51b85d4caab656ee41c25dc1d161b8901319ba8d7f96ebdfc34ee1c730ad0e3d53b9976f8222f25c276e

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  12KB

                                  MD5

                                  e0b775e0be8f2e29a59209934988affc

                                  SHA1

                                  8a5532b8222a763db178ab231595c5a9d7b77559

                                  SHA256

                                  d9ed302cadb9db746417c99d8ace58657b300f733aad32b878b3775e5993c3e4

                                  SHA512

                                  f8f7e1d3ce382318183aded6ff4c22b3bb72a3dca8ccfa0c05b5193aec196a4c59ab37804ce559702f307d7d29729189fd9fc922ecd841daf36b8459b9fbceb7

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

                                  Filesize

                                  3KB

                                  MD5

                                  904dab7456c3af76791e0ef49455124f

                                  SHA1

                                  26a343e7988604accf2c9ddddb8d685ed85c635f

                                  SHA256

                                  a2ae122259deb1aabd5b3f61de539380eaf48348c5ad6915073c491e9be312a3

                                  SHA512

                                  413271c0a5ec3099f09c34fa8c32abe2f956d38b10947252e60b9e6ba4e0b9d40e06c8dad5c7b29376f6308b41d0b71c9e4bdf9cf2a13fb8bc3d7d0797e27d61

                                • C:\Users\Admin\AppData\Roaming\svhost.exe

                                  Filesize

                                  669KB

                                  MD5

                                  053680ed933d58f4150ffdefac4d9f13

                                  SHA1

                                  69c4a4ffb650a6fdfe343d6acca3b988647aee30

                                  SHA256

                                  af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266

                                  SHA512

                                  4ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2

                                • C:\Users\Admin\AppData\Roaming\svhost.exe

                                  Filesize

                                  669KB

                                  MD5

                                  053680ed933d58f4150ffdefac4d9f13

                                  SHA1

                                  69c4a4ffb650a6fdfe343d6acca3b988647aee30

                                  SHA256

                                  af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266

                                  SHA512

                                  4ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2

                                • C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

                                  Filesize

                                  4KB

                                  MD5

                                  1ebc3aa31f4bfbc94236db7ba0c93686

                                  SHA1

                                  64d9560d575c337882599d0817673a61abe3e807

                                  SHA256

                                  2d3a07eb70d4da07294d5e63d1a136eeb090e85a0be0618599619cefa9ab4dee

                                  SHA512

                                  34f53983f74d8c9da0342cd18af3bed90af6c7f492ef3b7e5351ffd5e4cf83694c3563b24d0db0d97ca5e0bf1892aeee75495dfeaf80e6fe08d68fed354720cd

                                • C:\Users\Admin\Desktop\Microsoft Edge.lnk

                                  Filesize

                                  2KB

                                  MD5

                                  9cd2e84871a399edef6b2ec2a460e018

                                  SHA1

                                  3c46a996099f66cb2a5dc7e8cfc2127810f37b82

                                  SHA256

                                  42de0f46f43b8dd9ec7561db322c9ae9f7673bf3ef68cac063baa66b694fdbf2

                                  SHA512

                                  f62d44157e43faf55f93f5d63f0d0f07b8c23a2466d56bc0e7cb61d2102783d21b11fe8855904b4677f7ef8c89bcea648e5e39c4bdc13bdd000bbbc5d24b55c5

                                • C:\Users\Default\ntuser.dat.LOG2

                                  Filesize

                                  536B

                                  MD5

                                  67947f6f217c1d8c2888103f7307bff9

                                  SHA1

                                  daf3b5ce85cf6691d2de26fe1a23ac2463b62e60

                                  SHA256

                                  e8c79033e90bde1dd6e2d7c5b5731b0b29e51f137a4b14988c33b89196f40127

                                  SHA512

                                  d7272883539e801795218d9a7ea19a15e218c9a9ae3c4b453c5f63e94d633e17a8494a43b297ecd4a7141433e78026c62aa65e8ce285fcfa6ed9c2d058800b8c

                                • \Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

                                  Filesize

                                  4KB

                                  MD5

                                  1ebc3aa31f4bfbc94236db7ba0c93686

                                  SHA1

                                  64d9560d575c337882599d0817673a61abe3e807

                                  SHA256

                                  2d3a07eb70d4da07294d5e63d1a136eeb090e85a0be0618599619cefa9ab4dee

                                  SHA512

                                  34f53983f74d8c9da0342cd18af3bed90af6c7f492ef3b7e5351ffd5e4cf83694c3563b24d0db0d97ca5e0bf1892aeee75495dfeaf80e6fe08d68fed354720cd