locky | 47c93f0a295867a3140de9e1fd3bfeccdd02fb3bbc82b93ee7e3f8a759f585ab

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Application65c9095380496.rar
Size

7.9MB
MD5

1eef11e912ec086f8c9ce16257eb8bcc
SHA1

c2f48718abcfc2d7dc9cf64e669a8a86238d3e67
SHA256

47c93f0a295867a3140de9e1fd3bfeccdd02fb3bbc82b93ee7e3f8a759f585ab
SHA512

11bd1ed1f397448902bc5a58b70cb3beb0b57d5ef6a95f33b5d63e02bd610c8602a34cb7b8104e842c56748817d31f91e838155765b5596e3f94e04f4d827062
SSDEEP

196608:r3VQq12Ro+k2LcM6L7f9+mzWKhKSw901hyNcEIi+je0ydUp7/:rDoy+k2Jcf9+NqHyNcEIi+CSp7/

Score

10^/10

locky discovery ransomware spyware stealer

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 3 IoCs

Processes:

lic.exesetup.exeKSEFNZDNEF.exe

pid process

1168 lic.exe
2168 setup.exe
4108 KSEFNZDNEF.exe
Loads dropped DLL 2 IoCs

Processes:

RegAsm.exe

pid process

3356 RegAsm.exe
3356 RegAsm.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

KSEFNZDNEF.exe

description pid process target process

PID 4108 set thread context of 3356 4108 KSEFNZDNEF.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
1168	lic.exe
2168	setup.exe
4108	KSEFNZDNEF.exe

pid	process
3356	RegAsm.exe
3356	RegAsm.exe

description	pid	process	target process
PID 4108 set thread context of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

RegAsm.exemsedge.exemsedge.exe

pid process

3356 RegAsm.exe
3356 RegAsm.exe
3356 RegAsm.exe
3356 RegAsm.exe
2784 msedge.exe
2784 msedge.exe
3352 msedge.exe
3352 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3352 msedge.exe
3352 msedge.exe
3352 msedge.exe
3352 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	cmd.exe

pid	process
3356	RegAsm.exe
3356	RegAsm.exe
3356	RegAsm.exe
3356	RegAsm.exe
2784	msedge.exe
2784	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	4624	7zFM.exe
Token: 35	4624	7zFM.exe
Token: SeSecurityPrivilege	4624	7zFM.exe
Token: 33	3720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3720	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

7zFM.exemsedge.exe

pid	process
4624	7zFM.exe
4624	7zFM.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lic.exesetup.exe

pid process

1168 lic.exe
2168 setup.exe

pid	process
1168	lic.exe
2168	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exesetup.exeKSEFNZDNEF.exemsedge.exe

description	pid	process	target process
PID 1296 wrote to memory of 4624	1296	cmd.exe	7zFM.exe
PID 1296 wrote to memory of 4624	1296	cmd.exe	7zFM.exe
PID 2168 wrote to memory of 4108	2168	setup.exe	KSEFNZDNEF.exe
PID 2168 wrote to memory of 4108	2168	setup.exe	KSEFNZDNEF.exe
PID 2168 wrote to memory of 4108	2168	setup.exe	KSEFNZDNEF.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 4108 wrote to memory of 3356	4108	KSEFNZDNEF.exe	RegAsm.exe
PID 2168 wrote to memory of 3352	2168	setup.exe	msedge.exe
PID 2168 wrote to memory of 3352	2168	setup.exe	msedge.exe
PID 3352 wrote to memory of 3968	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3968	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 4264	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2784	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 2784	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3220	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3220	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3220	3352	msedge.exe	msedge.exe
PID 3352 wrote to memory of 3220	3352	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Application65c9095380496.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Application65c9095380496.rar"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4624

C:\Users\Admin\Desktop\lic.exe
"C:\Users\Admin\Desktop\lic.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\ApplicationSetup\KSEFNZDNEF.exe
C:\ApplicationSetup\KSEFNZDNEF.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UZfBnXM8WuY
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7fff436b46f8,0x7fff436b4708,0x7fff436b4718
3⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
3⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
3⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
3⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
3⤵
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
3⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,4049779756614194277,17832376057893927265,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5692 /prefetch:8
3⤵
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ApplicationSetup\KSEFNZDNEF.exe
Filesize
364KB

MD5
804bbd3927e2683b2f141a20ebf495c8

SHA1
baf45b0a140f80b593e1c57866f6a343c9572c4f

SHA256
0a9cc901ea75de2525bdc635c5fd5e961752f57ca506bbc6d1cd397d3648ad11

SHA512
f746e51cabf82ecdeea468bfd6a44dd2f2bb2802ef68ad8e1fb5862a197f7aa359cfb5483028287824d14c08a94a2bbae8e350254aa14a3ece33b62cd58b9987

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
528B

MD5
ebdda7de90a3c06a5a8fdc7ad540f672

SHA1
13d35f8846ff63c9e39c1686b93cb886c84238d5

SHA256
f018246183d6053b23feeee3267c734c68a763509b09076ce5445f815eaff731

SHA512
994324a8a539b6e897f9990967bc884b20e46a4cfffb1f5c6860d21b3f553b598968aa38ea1e0f7acd48dccf993d4aef16626f2d910fa6fe33362267f8f855e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
a767aad06b247d0da5d560a744718b00

SHA1
c753b5a0a9bccb5c58d0dfb4f80b0543047be697

SHA256
540e3172672d4bba2d4c02b3f40c202c6feb4cc6943e677134055e03af6ff370

SHA512
09cbc0b31bdfc47a878d76c77b4e88342408fdcd6aab55f61827813c4905150b3af3884b0bd7be24a376d710dde691eb1a1def0e47d889451596200c1599857e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fb6b3d45f1d878c28a95404bd1712346

SHA1
821eb0cd94b7a6d119a270980b5f2e5b27965835

SHA256
621e9efce17b795c336183082c1161dddf1556ba33983c277e54965f9db3f66f

SHA512
2c64b1f4f0976e8e2ec5fc6e56f088b8854a388e933c9eca7793bbedae4c2214a3cef96f29b57946e331ecb956227a4839f96f6fc56226d908891895a6d11d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d3a54fcfc0140a7df3b5e36ab92baf4e

SHA1
6796f51aead440b6cf45a33ed96356982c4471f0

SHA256
adf9f74a7aede0bd4ddb0453c588efb41c4135961a850ad4be54ef9219816734

SHA512
09de84c8599dc2ec04b9fb943a25db7375ee8c3cc624cc9a1b0d53297f0bb9c9c06b4852edcda727a22d90d29f34f6a25152e0bac197213a92fd8be0b8678126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0564763d81df0791232190068aa698c4

SHA1
0214afec179068a6ec85c90c636dc2a78c2cfe36

SHA256
0b1b545920427acc0b1b8fc8167d885f3fa7cb326c662b14bd9d4c1a7816963a

SHA512
3807d5d0c87ee1d068051449e2f3393a44800fedadd4fcbed1078235cdcf3a6fb1594ab92e0e85cce6503d089065421f756f63440accbf61e2ca1662490ae40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
f9ef38de12c5b15db0dbc698853ea75d

SHA1
e342c1b9918abdfde2ea610d6d45dc3bae3c782d

SHA256
517ef08393d944ab3bdf6f44a36105b0c8a3205b8bd1af0f9e8d33f1f32367f7

SHA512
ebea0417ae24b9cd52cd3dbe6ba8ab6001f7c23f283401d2bda90624fd54f8de12a5d155c8d671276d94c2161193cb07538fef2ae538a573f05f9838e5819cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
1360927f1d2feef583a68c73337548d9

SHA1
77cba3cf42bc74e6c620cff996e6e0800d00d628

SHA256
18aef96e068e193102199bff52bcca525f63aaa731b3b5b1937690450308e5ee

SHA512
9f6c9b469847f85eae36d1e98b4c3fc313e23397725b2f6a25d0613c542567141742214aab6e7bfe0d903f0ceeed5a4a7d780abff851f2e5a0515bcd000cf9cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
f3eaeee739b1a088c2a5a9185340dfd7

SHA1
db15875060970e68d2fade0c87fbe9a091c561b3

SHA256
8cc5530c0331c8ee8640ca9a782d353dd74a9117bcdbf67f23c733d0997941df

SHA512
c0620a35321298cd8261355058e836ebd9ac4e956feb73fc7447c74ec29843a65754b6bcfc8feae47b5d31150477550a614b5eaa3cb3d8db5180c8ded1eaa719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
7d4c05bb1b19bb0aa60f8da1325128a6

SHA1
b6368b9bcfda4ddab3fe8d206aa6b586fc4c1cc8

SHA256
553de6b3ec2eda7de48ebf96c183f2654399b78225d6fcf6f8a2e283e058eed2

SHA512
7191e52a028460843875c39f40cf2c9dcf51f92e359ba86d6e85de4c5957065cf572ff4b92219399cc77d7f30b82e8e76c798f58d51f9a1a072b02a211e344cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59a6b6.TMP
Filesize
48B

MD5
a8a3e09dd2be1a91393fc77ca9944a65

SHA1
8639900ca7e355d66db6e9fcafe22c6e9564329d

SHA256
6cc02e08ef7838b8253acd6922235d538b72bcb01c3e83c6dc414fa775ae4530

SHA512
9ce0648344c9e2ebac57995d07ff086509e6a7c616dca0ecafeec944878759af87d24911d232a85b926bf4b23b160e52d6390eecc03a60e0baacbbd5fa62c1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
190b37ce37503a419088cfebcc9d3d1a

SHA1
87ab1fd83fad7b192eebc73e254726e33c44c0dd

SHA256
ae80a8c7c26c1171cdb0fb9461dde1c8d19472b16d312fe29eee2d5e0dcf12c9

SHA512
ae7330e44cbb1c75d3516645d897a72fdecb025ac0002a13dfacaa9f0e5642c98cab6be178d9a2546e37638fa771fd8e795bf490cd17a02bc198174a8a156a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a80e.TMP
Filesize
539B

MD5
efc1b33f2879fef14c27b1e7d4739b5b

SHA1
5db52c23b5df3911db4f7076732f36c9d94f29de

SHA256
f00105815549060a46a561ec4968355c7956cfe936dec36f0bd9dfaef5fd12bb

SHA512
cbdd260ec5a485852f62b5a8bbf3902b331aca0a5af562ec11c1e948039ecbe4e2aa408284db8900d03854891c04a240d54a7c0ad2975adabedfab6802b8dece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
716a5313a9be5ab76f2e2402a8ad3309

SHA1
845a4fabce9dc1c281deec2744d60bd4d91a480d

SHA256
2993d04f225d8aa197ae2590a71c35c6d4eb8f4a0c1ab81d1b34fa7f6350fb96

SHA512
c8d6f17c06ad38f931eba660f87842b3bc91162ffcc15fb70687176a50f3fe70088d34804e185ddf0ba46f9664a57056d79824aedb7032fa475ea9be4c0b7263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
370de1230f37f5bc862071856edfbb04

SHA1
c19e0bb3143c9fb586a672459e82430de0ef9e6e

SHA256
a72fe551268ee4272d3d58464b140f596b931e2ff844bc342090d0e72af3fbcb

SHA512
2f05091741ad8bf042851b696b043634b63b69174b0083703d50ae6f64bd890e020ccf1bb13e88a02888633929a44a4db6ee7b5e0d91728428eb2ef529a67adb

Download Submit
C:\Users\Admin\Desktop\READ FAQ!!!.txt
Filesize
4KB

MD5
0744912a6b0cc3319d2ffa00832f3dd3

SHA1
5b54eb623121b63aec07a0bf1ce463b381c8a2a4

SHA256
fbba0e282def71de9b098c1710ba7fd4847fdbe541bdfddd1352019516f34fbc

SHA512
8a897f1a830b754904f5c7f77199ac3ccdc397d8d6377703a99267047cabbacb42a07dc69ac4930ea87db827d064d01bb131563a64e55876890697fd34e108ac

Download Submit
C:\Users\Admin\Desktop\data\data.dat
Filesize
1.2MB

MD5
f2d3bcb9a38dfa4a90daccb9ca2a3b54

SHA1
7867f9902cd17d7af4e6a671a6e50c3dfd3ef9ad

SHA256
f073ec203af3d6f8aeddcd8e0c2cc003009224fc3b3c5545eb3add89bcab0890

SHA512
c3411d08305b6c46cfb1d1faa5e280e3a202859c54b2f4fa8383544085d8a13ec6ba2ff31bc8ba7719152ec5de9e03bc8170e73b04b9a76b54c9136ac8fe9186

Download Submit
C:\Users\Admin\Desktop\data\program.PNG
Filesize
696KB

MD5
a3d4494188555fd642820346806fd1d8

SHA1
53a37fb21d1fdc91cdea14721eeecac83cc2825c

SHA256
ace20dad2b8ef82a5f8674afc8e9ca05f5f3f63efc798d66b43eb7124dc802ca

SHA512
a4265bf8fb50fbdb1b13b3d03126b2ec354cbd4c0ee9baa51911700e1be73753f549b1a8cdace269b674afaab04b03f545a2a383f3fd8a0b7898b8498a4a25e4

Download Submit
C:\Users\Admin\Desktop\lic.exe
Filesize
3.4MB

MD5
49ad6cf1806880fb9c93178165645118

SHA1
5758d1b5b244c644ea382de12a93addd41030c58

SHA256
998e34c956fbc33d28251b1a9188fcf51813fd36f460bc64bf051e1ff9e6adac

SHA512
43bf7d609f36c82816a93979208a8eabefa9637a5246c764feb52f495a2a95cd710ac316a53ed735da5759838b7fbf9a9f9490dcb07f806f7a0dbfa2f8234374

Download Submit
C:\Users\Admin\Desktop\lic.exe
Filesize
640KB

MD5
92a3db44322c2ee061169d83af85f480

SHA1
a0991f875263f41062298ebcd9f028bea59d0ca0

SHA256
2396f1565095a1ae4579e26d5ccdd0122627cd64d62bb4a925461f6692c91ca8

SHA512
bde798940dd64d8372c4b42e77436ddec80431126cc0797dcf5d90e02208aa29dca055a0d9dc3e58a5e98c8aaa098f984057cc89882c612a6398eaf9ad96754d

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
12.8MB

MD5
b80910eface3995762c4d4dad70d4fdb

SHA1
6b76db92f627757e568ddd1c9203ecb741fe5436

SHA256
dec8be7b225f7426d92dec29d32e68230a48c466cfec577828ab85ff3be45c1e

SHA512
595646af181a0b1995506431143bb4e72ad6dea29e9c0cb21a411d0a74d5d251bd43c29db870589fcb847172651cbe7972d3e2442a46d8ba61d763517dc43122

Download Submit
C:\Users\Admin\Desktop\setup.exe
Filesize
13.9MB

MD5
a3ea34300b2d751c4e208580ecd8290a

SHA1
24c5bb50734dc911c2208db93c0f24dd31fa0b74

SHA256
aca6f062c487f098000072305eaa1fe5d79412497aedf97aa5b08d3ce5bfd944

SHA512
51ba9da71ce237db1df5e8cd8ac352ae5d53d253a2d45ee71844595852a15bd643fd2801b92c111ad23e548d7d55d19d32329c8295bb664ee2887568df744618

Download Submit
\??\pipe\LOCAL\crashpad_3352_ORWNKVXVHVDBVLIR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1168-107-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1168-105-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/1168-91-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/1168-90-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1168-536-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/1168-232-0x0000000000400000-0x00000000007FB000-memory.dmp

Filesize
4.0MB

Download
memory/2168-94-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2168-178-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-225-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-215-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-118-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2168-212-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-210-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-217-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/2168-106-0x0000000000640000-0x0000000001C8D000-memory.dmp

Filesize
22.3MB

Download
memory/3356-122-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3356-125-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3356-209-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3356-129-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/3356-130-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4108-127-0x00000000724F0000-0x0000000072CA0000-memory.dmp

Filesize
7.7MB

Download
memory/4108-128-0x00000000025F0000-0x00000000045F0000-memory.dmp

Filesize
32.0MB

Download
memory/4108-112-0x00000000724F0000-0x0000000072CA0000-memory.dmp

Filesize
7.7MB

Download
memory/4108-119-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4108-213-0x00000000025F0000-0x00000000045F0000-memory.dmp

Filesize
32.0MB

Download
memory/4108-116-0x0000000005100000-0x000000000513E000-memory.dmp

Filesize
248KB

Download
memory/4108-115-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/4108-114-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4108-113-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download