Resubmissions
26-02-2024 16:09
240226-tmaalaaf7v 126-02-2024 16:09
240226-tl1fdsaf6x 126-02-2024 16:05
240226-tjq4yaae9t 126-02-2024 16:03
240226-thjcpsae6v 426-02-2024 16:02
240226-tg87qsab27 126-02-2024 16:02
240226-tg31qaae5w 126-02-2024 15:54
240226-tcnegaad4t 626-02-2024 15:51
240226-tay37ahh68 126-02-2024 15:51
240226-tal4maac7z 126-02-2024 15:50
240226-taaqlahh56 1Analysis
-
max time kernel
381s -
max time network
367s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 15:37
Static task
static1
Behavioral task
behavioral1
Sample
New Compressed (zipped) Folder.zip
Resource
win10v2004-20240221-en
General
-
Target
New Compressed (zipped) Folder.zip
-
Size
22B
-
MD5
76cdb2bad9582d23c1f6f4d868218d6c
-
SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
-
SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
-
SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KVXYQG_.hta
cerber
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___85G6_.txt
cerber
http://p27dokhpz2n7nvgr.onion/97D7-2F04-7044-0446-920E
http://p27dokhpz2n7nvgr.12hygy.top/97D7-2F04-7044-0446-920E
http://p27dokhpz2n7nvgr.14ewqv.top/97D7-2F04-7044-0446-920E
http://p27dokhpz2n7nvgr.14vvrc.top/97D7-2F04-7044-0446-920E
http://p27dokhpz2n7nvgr.129p1t.top/97D7-2F04-7044-0446-920E
http://p27dokhpz2n7nvgr.1apgrn.top/97D7-2F04-7044-0446-920E
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1118) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 4652 netsh.exe 796 netsh.exe -
Drops startup file 1 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ cerber.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 38 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook cerber.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
cerber.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp914B.bmp" cerber.exe -
Drops file in Program Files directory 20 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\program files (x86)\microsoft\onenote cerber.exe File opened for modification \??\c:\program files (x86)\onenote cerber.exe File opened for modification \??\c:\program files (x86)\outlook cerber.exe File opened for modification \??\c:\program files (x86)\the bat! cerber.exe File opened for modification \??\c:\program files (x86)\thunderbird cerber.exe File opened for modification \??\c:\program files (x86)\ cerber.exe File opened for modification \??\c:\program files (x86)\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\office cerber.exe File opened for modification \??\c:\program files (x86)\bitcoin cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\word cerber.exe File opened for modification \??\c:\program files (x86)\microsoft sql server cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\excel cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\outlook cerber.exe File opened for modification \??\c:\program files (x86)\microsoft\word cerber.exe File opened for modification \??\c:\program files (x86)\office cerber.exe File opened for modification \??\c:\program files (x86)\powerpoint cerber.exe File opened for modification \??\c:\program files (x86)\steam cerber.exe File opened for modification \??\c:\program files\ cerber.exe -
Drops file in Windows directory 64 IoCs
Processes:
cerber.exedescription ioc process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! cerber.exe File opened for modification \??\c:\windows\ cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel cerber.exe File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office cerber.exe File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook cerber.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4092 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exemsedge.exeOpenWith.execerber.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1790404759-2178872477-2616469472-1000\{9F85A6EF-A7DC-4046-BCF5-687C80C97B70} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings cerber.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1960 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exepid process 1356 msedge.exe 1356 msedge.exe 564 msedge.exe 564 msedge.exe 2148 identity_helper.exe 2148 identity_helper.exe 2060 msedge.exe 2060 msedge.exe 2696 msedge.exe 2696 msedge.exe 4312 msedge.exe 4312 msedge.exe 4284 msedge.exe 4284 msedge.exe 2092 identity_helper.exe 2092 identity_helper.exe 2632 msedge.exe 2632 msedge.exe 2972 msedge.exe 2972 msedge.exe 2060 identity_helper.exe 2060 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 4284 msedge.exe 4284 msedge.exe 4284 msedge.exe 4284 msedge.exe 4284 msedge.exe 4284 msedge.exe 4284 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe 2972 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
cerber.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 3776 cerber.exe Token: SeCreatePagefilePrivilege 3776 cerber.exe Token: SeDebugPrivilege 4092 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe 564 msedge.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
OpenWith.exepid process 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe 4092 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 564 wrote to memory of 4228 564 msedge.exe msedge.exe PID 564 wrote to memory of 4228 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1180 564 msedge.exe msedge.exe PID 564 wrote to memory of 1356 564 msedge.exe msedge.exe PID 564 wrote to memory of 1356 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe PID 564 wrote to memory of 1016 564 msedge.exe msedge.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Compressed (zipped) Folder.zip"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa494d46f8,0x7ffa494d4708,0x7ffa494d47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3156 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5380 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,327496733996884174,7155485884212633175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa494d46f8,0x7ffa494d4708,0x7ffa494d47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4674174362114562799,98033278628664484,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa494d46f8,0x7ffa494d4708,0x7ffa494d47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5048 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,2951956286445198608,5727055949320130726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\cerber.exe"C:\Users\Admin\Desktop\cerber.exe"1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___SL4UFYK_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NHOJMHNF_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "cerber.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4d19adf71a634f72a1293daccdbb5a58 /t 4544 /p 31761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d829a75e48d99afb0040a2391dfbf7eb
SHA16739a4bb4932b0c8f5302e9c9c6512e0d65f13bf
SHA2560d03e8287092be3377d4135da02f84ab5016e7a4cbddc670f8e6ebc008b93712
SHA5123bd66452adebea5c5c3441418ec0c9acbd58e9a13b2777c051f8c576df6adc7224ef85aaac93cccc86b473b9fa78e2010da88cdafa2c7e919a7ffbcf954ba021
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53624cfcb355c6c7888cfb022b59a03b3
SHA18269bb7265487ced0f15c3705188714640d1df3f
SHA25628abe3d6f18ebac6166dc8dc601f6672a609bbf3d857d4fb1d9e8f6564ae172d
SHA51270b3510103bbd50779bb464806d7e15e5d3044269edaa863313fa5ea5cc9dd5fcc3d3e000a4b5f2c4b3fde604c84a89b85a1a12ae17797ce3ab80a23f61fe802
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51004b2ebce52fb0cbb07fbe5676d80fa
SHA13630670cd9a134b58a6e4cc920c0d7a5021ad1f8
SHA256283be1599176aa0682f928e9528d4c47578bb8f2d9d572501985bb1e114076fa
SHA512c85db792ecbe31f2318310e3f964c9c56e48758c6da8bccfe7f513c64d87070f4f4c886a0d45271acd1ce48d7780c62ef4d489c9210ddd08b061e3e0ef1c4e64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4aceca0a-89a8-4b08-9310-5d1ab5eeaf00.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD54528534dfd4b5a838ec5d767e56a5e13
SHA121697319c5df79abae133e8fb063c8052e57a5e1
SHA25650156c1c429bc68d717b7bcd28746457559888e9c77bae5e323949c3c0e2c6bb
SHA512861b7e86c54b154dba169bd189795908dbc93f5b5ec2a092b0dfec86c079d125c05d24676bc855b9c813759a93eed2e75e506ca26e12d042d67ad66e824dc166
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD5740042ca496b1ac22dcbcadf4b06dd7e
SHA13cddac932aea46a497e030aaa594d68cddc6cb38
SHA256403b3fb35f7b4878851e28ac013e844417ed138aa7e98db09b150dca43a5b401
SHA51299a968ec9afbb4813347d50d2d1ce8df1dcee283281cb8bc8ab9587f2b7b5305c2e87f22f455561fb4933b6f1f31c9d69e652d1e3b489e2af12f1780b2939555
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD5b4873393d51355914b75b699a42b2e38
SHA1a3737fb87b8d2913f4a0a4ff1b15962ce69a9e08
SHA256e144a1e0557966d4f2efe943ff59ebc3e1a0d8efce59f980468f9a974f625f14
SHA512556cad3180ec212c0d7f7d092a84acc7751f464354e2000391b4b65369d43905490ed952af900f9bfae1ab52f137331d5aef1ce4196ea294a1d5ee4c524cea91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2Filesize
1.0MB
MD523fb9f5e25311590358ec933599f0d0b
SHA1ae73c5ce61e9e4842f95f9e0e297683bc45c8a9f
SHA256328919b286f2488efc3499c5e8e2fb94a6dd66b5b62e46c914f8be53fef53e6c
SHA512113d8ddcbb1d894989904c4e069b430a595292d50c23d16ce049f4f14ea7fb964e81c64399d3c70829c2c1a1483640142d26b113b751e9722d2bfe65492d34fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3Filesize
4.0MB
MD5bc7d8934ecb9f9fcaecc54013fe29150
SHA18b3b889f8f837fe50d1fa285d76cf9a979c10838
SHA25616b633c9836e2d38bbf670eb2f4998919e89224c7e637d4b151d8702fe60f781
SHA512bb2d716e586e20dd09809f3a8c0e544c62fee9365ced4f3edc10672a240c60e2abbe88dd389ae348551d7c0b3b23628e93ca508a38f8c666329ef0512407a127
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD57511c9120e86b0008eb12ec0f495563c
SHA1e70e927855cc56899040eb5ff8425e08489e5f17
SHA256ee65860ff447e0fa79b587f23e82342e14d7eca2eb4ad188ad207b709f407d17
SHA512694a3147b34686ec374c69a30da26067b6366e835307f4198e3ab870f782a76d59819884782fbae3ebd964f8abdc54fe1ba7b18de6ea43c1bd17c99a006cc2db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5da8cca3b5569ef3c647cd750aa5b7759
SHA15c526ebd58fe948296168b1eb9bb85c1cc6e7b62
SHA256d8a7d81546ae38e026a3c0d455c194af31abd27b5da0a756ca48bf08604b3a2e
SHA512a2430c65c752044cd83ff546d19264f37f7bf37d79c49b71bd99ed7b2aecf3546d4b44eca3c233a2b25a4c66d1ce1a171601c788b45ddca1e84af4fe92613717
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
28KB
MD50f1b6219d69f4c74105e596bdd505134
SHA116663ad85d19f6c1758e3b4b8088f84441d8b78e
SHA2568ccf8673ce03aa09766313d777073a12971935fe4e751b04fba66ba8bec1deed
SHA512d831ffc7458a71ba8cae845734a2c332c7160a14d0d80a3d1f591c029015ee7b8d3e2c3fd8d8a8f42e3f1664ea977adff22c60f1d16e4a029928135744bc25bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
319B
MD5fd7bdd9fa4a5da55dbfe1517e5818ac2
SHA12aa906a0f7eb5e018e15333bdea1cabae7957bbb
SHA2562898f9b1b87d92b8693cff259b22efeb8a7a819374a90913b4045e551aebe054
SHA5128b201895cd584b2a72e31786972b9501aec768da9b9ce7a4fcde017fd7f6ef560e7210a8b5607a2bfbffdd08a3b6de980cacdefe142231c88c25b8e166397b34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
28KB
MD5ecf1822f914795ad1f309e250cf4af56
SHA1b9bea4fb904501bd441de8f3706521fb08e971c9
SHA2563f7fb343bbb14e6440af71c920f2741a375614c6d67fbdaa18ca64ec9a36fbd8
SHA512f5e74fb462eac9209ca6c41ec937e18f2bb69272289044b36b06a090b8eb5c039aa21838cd0eb3f93033deaa3c86625752d6b52928a27b4a4b27b87e7840d097
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5b17c949b69eef4b7cfde18c85382f985
SHA18df7e9ce9d1094a6a4d35b7e4ce6317d52f006a2
SHA2560d3b2cb2dca568e5bef1475776f93485a2dd309bd9ce26e9c51f4284c060bc18
SHA5122d10e73164a0c7ad50c4cf389f7cfab797f6f2f2ccbb2428979d88d41f0cba1055002d0a5dfbaa8c4c77e916ffe6e35f521dbb31f2b2e2ed5fafec3c8580ff67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD582d599c0fa3992662417d0254fc264b7
SHA1f036c597fdec125dcb044def4f50e6226e5622f5
SHA256427a6417fe7997e3b844387296a6a098acd76199cf7c7d4933b00ba9151455f6
SHA5123cabd4ea0b68663177c098a1e5e3a329ac6e411fbfb78df106b50a3df2d3d5a8251aebd4872cfa1f39b37ac8db4ed7487e2ce8ed86ba760130630cce85976a75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD57eb70e01f6e738fb76f5bece4d864214
SHA16fa75e2dd71d93295910dcf85b89e955de0c8f83
SHA25699408afea75f51a5fa93633d235fc673e6eb9327c294ad98b84001e065473452
SHA512e6f066a2d00747d067337f21adb1596f7b4334dddf2bb7b1e2d10a2499cbaee6d6ef5ad18c4e65a0f4cfaa7a1458d013e1dff24eeff4a417ddce2b183c2937c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
3KB
MD5aa8288579fc6df39a3bae9ec4796701e
SHA1c54352498c9878b0b92ed175f85acdff1e8d6512
SHA2569733ef11eb78cec9840cad20161ee6a1977e2e6ea7da96cf42999d207d153c8c
SHA5127826f4cd6aa4bd83ad48c7b7043c011fa6e1af7cb1c0c3756974a227e97801e6df0bf811cacc6ae0dff599a49fc4c4048658b9f307c13cf01a2fa9ce5a0a58ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.logFilesize
12KB
MD5786d2f7456717920f266fbbb08f4ee61
SHA1ac4c0c93def7891481223973f460f299f3bcfd76
SHA2561d09b4ff4a2a2f1f2f9a20f1a6cd5ebe62452fb263acfd3c109d0e740aafda6c
SHA5120cdc89300f1efca6e70bec5f61aa463ffb3d02d6c118504984cb6047905da979f23f3acc736905225c34ae1dad8da92a8547e96215865cd93f32ced2966bd028
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD5a111b373bd620a516688b6c3af2d20dd
SHA1ce76ee83038dac63e03d6d1808bf55585154f62d
SHA256c9c9eeb4c75d4edff3d9424659dcdc73e83797ad6e8caf118f849b256baae0e7
SHA5120085af0e66948fd70ee7a29b2dad43d86b9d39b44462a7fb70fea31566b1ad63b4bb13e5617ab0a86b8d29bf9c3928e127f58028946237947491e1963c747dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD56b13ca3d3fe306f7b1023ae0442548cd
SHA122f0739e7255fb15ae1fc171e5a05e007b7b2e56
SHA256af589240f33205a9724891623b8bf783fab525e3239578e79323d1b4f14c74f0
SHA512cd342a8f4104a22fde30baa33923d455f7d5c388849062467d0758610668be096e8ba9d46c829ed7d57edc1f04d71a5d7b7eeb685dc171cea99e1d0c0abdd622
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5255407d14e28c023506fda2dbbe71353
SHA12ca721cf940d912c7f501a794542473771858864
SHA2560689b7e4352c47302ea045522e3e7f476fa05974f739d4465b13a468d3d66e47
SHA512dd960cc4106d12e758ffe36ebecbdd748a252715cd333290229d8f86c9ac55e0c931108215b06c34ea95d446703d7b80922c0fa0e7f149bf63eede7e398e47da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5b6560e3a15b469a17672b4a46ddfe83f
SHA1a9c1b4986ef38b75d4ae069a2bea600c2fe20206
SHA2561fc779962d6b9436f01ee954e66e23552bbd6a99fddc8d97f9824e7ea52112db
SHA5122ef3763e2068a5956ba2ddea95a8beaeb4e9918b4b5d189b96ac054a112cf3dd436d3c98b77449d588ff2da3b56edad6649716d40edb3f0a3333e13a37aa248d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50f8f9710491e7c7d65712ed2655e5da4
SHA1a7d4e0174c4b581c65f066b8841e5c3861caab4c
SHA256bf364d6bca7259087be2818ca2b4135e9d2cafccf3104857060103425b0723b6
SHA5129c7e80a103b0d01077fa0b21cfc839d2d8160136fa17613caf0e92e690b3e11f7b0f6abfcad1438cfaca540cca5a73011a2c52d9ced1f47bc2263c50c422fc24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD593805bf635cf977327aeebbd8be310f3
SHA119abaadbbe2bc8fe82812a24a34cfc69b2142eb4
SHA2563ccb18fd595347af12b9764288e466701bee784921b7c5d29a6d4266ca73d197
SHA512126711298b39403584086f9ac1566dd6a9154852554151ce80f7ca0b88614cad748fe406ef18805c178ce1468e1b534fbe6383b007a5648f4fb2421fe26cfcd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5ad373fe0cd1d209e6cec157680e8917f
SHA189ba3e2d79df5bc749bd06075ce31ceba37bb364
SHA25652236265cc56704ae9f8f97d3b5c8f082c40cf3dd54a387ca4e13db4653db076
SHA5126897301583ddf5860f51b97f09e2570a04842c20262ff743f8fa4bb82270082b9aa8ad501ba0105c28751cafafde38ff74739d7c381af9221855bef30dac3334
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f1cd4dc81ef3e94addbd7854a4c4ed9e
SHA10223fb1f19d749900e96dfbe3bdfac187b25aead
SHA256e35a7504a9531e781efd73cd62aae439078dae238edfbb3fcebf6551246d69dc
SHA5126f064e50a6873630a44e8fb3f1ab8a311acb6c1e2bab01da424db52812380bb1b83becdc65ea0a5a8f2c4bbd74e0c29a88e6bf7d458b83b3b69eba24a7e48adb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD52277973d06cea8eb031b954cb8674208
SHA18079e088a2e68113072784eb4b6cb365348dc3f4
SHA256afefd8093cb23077f05539798c85dfc6a9240f2ada587c1e54c1fe6015266c4f
SHA512413e1d1e7c35340cbe5a33e77c969f0c2380998ae98f7185526e3001dc5131fe76d2d18c27cf92d65296a4159627b03edea29aa8a255f2c9b7548e3c43b9d8e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD56a0630b9ca7895d2e47e413019553eaa
SHA10324ea26088756a425337e24340b453902818dd6
SHA2563bea8a89a8ffeda3687d04047917fc35963e0a694ce57f254c0797b1cb083892
SHA5125cd2b233851ecb33ac8d71c9a34237c3f7eda7f5ac1f2db1d244245dcb9206f4dfe7815a2064b767f8bc1219b4b29373565e1879af93f4a4d639ccf83e25794a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55656c00143787d8542a1f066252fca4d
SHA1b560a9e699eac07e04848fa1e1a2c1844edd9984
SHA256185368b9400eb638a1b19e3df237e7b95d81785d198f80dd34c21bb380e5b988
SHA5122396a5beddce406518a8e918d472a5c4c7fab41cdd2a6ee3502e6bb12545158f35b6ecb3d72b6934c11450c525e2cb0c7e38afd9c09572f06d3f57c44b4428f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD57f5c4f77046a1432971523a1e709ac68
SHA17a97cec4a52d3e3fd0392fd67e028a74f4a88a6a
SHA256f1fafaf37fabf5891d9d538771253ead83f2132090d2b6186568286beab11b0a
SHA5124efd441ee33c0706f68b7e3bdb7da2eeab2a735a76dc1acb4942729388540a0b9cf5cca0b41d0b45a461d80b155f1da8d0d0fd0cb4a143811ba3367176bc14b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5fbc5702ace968a093954aa29469e8503
SHA1c71997c591efba2c2c89c583bfae38e17a0cdf2b
SHA2568523cd0bc7e87263ea6abb80f00abf6402c088e8fe4569f88f9b19db3d94bfa0
SHA51247d916bb6d8fd4e2365f782cfaf6910011068e932ce40dc572bcd91c04f390c355e992127c77312add08550ee1ef50585932969a956c2b7e796a30d4a0fcffc9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD59ec08053bc120f0bce2849bd7dc65578
SHA194b12625faa5bdc6069cc9c31a27c2ee5dd9b1c6
SHA25634b044ded078c18a894eb3a0a2c40b0ff860571913bbcd23ff27874c5097c8f7
SHA5127adff4b0fdd1835ed393e72356df60d148fdd5aa9be2e9846d86dd20e59f20772cb127bfd35b9076b38068e5d6bb528c3e7b3114b8af1d60ccac8fca5e9b7739
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5fade5081c882f3656a2eaedb68003f97
SHA1c69c307c3e9d063c9652d51f7d9505a611272489
SHA25649ac14fd565138538546d6b1f286b38ccdeb84344d7e14e9940e4a9651e89ac9
SHA51258d4d080530e955ef80afac635f4db72cd76e07beb11e39d609c473ae5befedaac9e8310b8c8ca697e4a1c7cd541e77a80eb0e69f45a31b347d3288a51867ebf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58946fbe3b5ed8cd7a6815acae46cfcd0
SHA150a653b1867ed475053741c88c069fd414962cec
SHA256470d8bbda1de6cc7041a9b9c6ca7e047b899b0419f67c8047e97061181b3f764
SHA512fb1db531629152e5036075d4378475c91afdfd956eff5cecef17ff329795e15f0529e99631d0e6badcf4ad7dc1c5d18b53e98c508d0c6aeca6a27b93d0560467
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5cd278b7355c26f3d73a0404ba9779d18
SHA16f679c67917fa979f20a3bf86618b0f3b8266dfa
SHA256670a7db8a43a44a9e96a3bd101fbdb183d9f7973b142f23490d707508914b99c
SHA51220b92e01ad7fc68906c6216a92a4f371020bf0218cc7877a922fa8b38cf31421269b2f7734a9143b8d65fd63dfeecef38f4e9f0bc7e5162826c12d6ef77d4c59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.logFilesize
1KB
MD5bc46000ab8781c027fdce41df983d128
SHA161f7d7d9ca26f1a08c4be56fa0b331b5c041905d
SHA256ce0745a9bfdfb22fb5ee20fefc8a64ec2df72053bc8a9758930144a7fad328b6
SHA512c54b7f9730eeb3ce8cee5453c12e3c6c2f67c53bb86acfea84282426d6e3705a9bd903b63006938bf90288baccf59865ca68196f89c54f7c37cfe24d9bc2579e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
319B
MD58846083b5fdb7346bfc9c766fd0cfe7a
SHA1e3ed6e24a09dddd5cf3ac2fb4939aa83d8ce93d3
SHA256b5ab5662891578579346111a158b665eace4a1e1b8127009275d505b0b0c02fb
SHA512dc745afb05713bff84d87b91cc0f4e6d7762dcf9719db13f34b1bce8f31c1bad99806a843dfa49bad8fd1d34c3bb7b5f8807e2bd449b49ef2e6da6a87b17b373
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13353435530887206Filesize
12KB
MD50afdc6928eb55a032f95616d1c472fe4
SHA18450123635cea7a0ac26fcd20e02dabc5488bc64
SHA256a0d919922aff46d020b10f192d9f139f5217b8631710dd0f9c7804007d451d48
SHA5126932f2f83277133e9c8a1f5eb3b19f6efd92934d3d2c5d32cd8029bc24eec3d342f99beb014b96a67140ee4b785411a9a27aa13445d22f4c3f752a8332cc2264
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
184B
MD5894dbfa18bed8fe6c0316febc2edf5c3
SHA10e76c8b087500f34a3def7c5fe4c160fd163bf66
SHA25663554c812b9e4cbb23187f64cdd99b214a98925c1ac90ae2d6020b53fb6a6d37
SHA5124c165f206383cd7896e99176d38dbd0baa505481f4d400065eaed7ae86189f39cbad7af939a8f9a32cd96ea654088e0eaed003862f7732cf568fde8377676c9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD52d28c220a789680e1eac2fa59b5fcecb
SHA1fd63009fcc05571793da776776ad4041e3170182
SHA256ab0afbda5139695205c027036304717c9966ea499edd68aafa22f35da4813054
SHA512b60bbd3e0e597f8c7a3e798387d8a691d5be998b216583ad293a84190b0e057e15f73346879940a738581e7014c8e66762e042042e62bf1df3147f9b7b108125
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5c2af223ffaa08eedbf78a3a33bc74f9c
SHA1abba814f61f6670f7649e1710927ca376a36a70b
SHA2568f2dbfbd3b5fd9c405dbfb1041783d30d2d82620bb4ae8a9ded7a6f4fb0047d4
SHA51289aba47fa0137314742c0d65846085d234fea219f805dc232b841b6849a66b2e6efbcff2ca7a7fefc15422628ae7b88e3d87486b10577b296b553e01ba355358
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD594bc1123f523037505bea57317f1d835
SHA1ec8d5aa68b19fb9bb49c95ba1784a15ffffe13ff
SHA256abb420b6358b8556070a880ed4a401b51199a22f27dc83b9ef61ee99f4936af8
SHA512f13e6e02cd2356d5f8dfb2c3e031f626c2fe892eae3feaba76e4d5ac54851c20d6eb2d1b9ab82d90dcc8c2fd618f1a07704a7a15dd7d16469e3e8796fe0cb52a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5506213fda17719daeb652ac3c33ac7c7
SHA18828e371d760ac3695a929672c811e97eed49280
SHA2561dec110ffc42a073a4ae43aa6854f469f98e088ccef4823b2600f00651eedf4e
SHA512db7d55811f235e6d1ea187019c697035653e90e8bcb6ea64b5f1c0a81fba37b62dae274eab4473b4063600e719a9f9f07c6827b9092847c794a7f2538b449481
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fb663f678ab18ea7efaae40b7e5777c4
SHA114289678eb63508294ec6368ad149b8844292082
SHA256fccd2ceebfaaf4b90671fb387936135421d89d0b8adecaa4f966efc0698786ae
SHA512cb562ac6e8bf0772184f4246df69eeb87e582cc348c654da3552183cea3eb366a603f019cc7e7dd9a2bf59a3a9f326aea008177735daaae2044f4039c5c51398
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD57fbfde5fe5955ed3e60cfef707e52dd5
SHA1c279642ad70cdf1063fe25be9021086bed2b509a
SHA2569fb909bb4b9cacfb079102042d0df4540222eec47a68f23f0ab5757cc9c7b31c
SHA5121beeab172429d0682e32b9400b9cd3cae1e9db4b54121edeaa0d5e174bb98a522ac743763f4f4772db8253524be158fa4293c16065053ed13e228bebe98ca35a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589c1c.TMPFilesize
1KB
MD562a758db8ff6779129cb95db169f01f5
SHA1d9b62e7f348e0c659741333df8c512d1bbdf8863
SHA2561532889400ba33551fefd09df11a63c71129d04dd78cc702e15ea8c9c00ff2d9
SHA512d9f277f34605d7d684f3c1c4aa8b136efec21c3970aec03966928cb73993ee4e446243735113d2bab2346c860e175de6550c599ba8c00e2ada129dc5cf3908cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD50a9242c96dc9789b1ab6ab35aee73717
SHA15dbd5ab334e5b82ff87b54f7713a99360b8fab59
SHA256962503691c1cf0f6a67bd30e8da312a6aa8ecb17ca21b2c52268b1bd6ea5970b
SHA512f188e19e137fa51d829a90693823f924dc32ae8bad9fa73a0b78d4d0e22e69666f1a4ab0069e1badaae6e4854e4d9d7abd407816151dc17a8f6b85bb1720c6bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD592108ea17b1eb651b88f68eb502573e9
SHA1a85dd222f041302f40e7cebea423b9f43fcb456d
SHA256c634dc05f4a572c5d61a186520b0cfb14d2503e19c2eb72e2830d30f21f55a14
SHA51265c27b3a3455771bab94ca881887ed1ddb58765d7d56d3c51279b467be614efa4c9ec5321a0b3767128b07d36c0ba740d70823b7a871d90dbaef546ab24681ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5589c49f8a8e18ec6998a7a30b4958ebc
SHA1cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA25626d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
72KB
MD5146a9bdd845acb59e1dccfcd77dbb41f
SHA1c0ea95f6afd54c453961b056f32d9ea44e65c2b8
SHA256020c74d04e988ebf6f26f42ab35779a759888b0030b20c81338f64941b148cc9
SHA51268649dfbe8d0ca192c00581cd23fe475e0634edc3829f503a4335bd7596e0a6f52a9a62ea135e6b5b935f6b682e067679a6e73aa1f878996be93693ccd2f0ba2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
27KB
MD574c5feed721c50457b219ca06223a631
SHA106d8f845e10a8e2afb912a100d8c17d946a9c961
SHA256218ae56c3f4c72efe060a08d15ef393a0b9784b052f198e7439752360a5b97e7
SHA5129ce4d5759f3dcbc30d549489d51eceb361608d1192ced99fa71727338662334b84b8be3fcb92f55b63d9aef29b1013b03b365e068622e151d12c093d1e3075b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
319B
MD56a9e39d33584605e1baf3990c79d04b3
SHA1a3a18c1cfc2594af3d75a22ede28c15a3080768f
SHA256392db4f40daeadbc0260dea84f32cf903c98d52a036c8517fa8f7845074483f3
SHA5126b8bed4f0abfe55d8eca2745178a66b93f6b7bfda70e981ad3faab958cc58a41a62789ff95239dc2132cdcf91824247ab81ab155014820f4ec471141c5434326
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD5914eb282a6bf77a47171efb3671b6427
SHA1689bd20c6b20d5daeead66c8895d9baadfb194e2
SHA2560971352fedd95d03b783cb303a127c679cd38da1649938be8e76f38df24854cd
SHA512d3237778e5a590d10bdf9019a800bcfe3dfa438b4ff95b8a9fec8bad07aa6f913b49c1c4e16d493c91beddb3f4c876b28fb9e8c2b502f0c6cb088ebe6c0f0026
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
337B
MD5a5dd7d040a6de35186120883f8995ade
SHA1e89e3e31db4ecdce6498213ae6a930251e0ad639
SHA2568bf531e164bed9c7e9b18d7b42e56c24d58adfb77690753a4e28f24f460d86fd
SHA512fbf92506304ac0f2f30df59ed67a7442a825c6adf06192b25f6f06e58d88c762d04b026f8b15b721d05d2347f8807ad23bbc882141f9d70cb1eca5a117045c7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD59a7e6840576be0c643aaa376004684d8
SHA1e5f6c1d7016d74e324c0f64c9401ec7d37c96029
SHA256452632f00dc6ae0690efb1eada88619bfc573ae8e4d5324b56914ae75398c6c7
SHA512291c6b68dbb3fa53af63a5a8be5f6f4dfb0b49c224faaed00f764dd07c48b22720bc9eddd52805e804359c7eebe047effc0d06031706c9773480a6e9b915b0d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD57ef9f998462a6096144ddd0e6934ca0b
SHA19c4ff35d9ed425725173f2cee93f49e04e3f9b14
SHA256ae7d9894b05d01a0b0eb9c2486a9511f121e2729a7b8cf45838a96cbcdba7c59
SHA512da177f306530006f197d265465ec813c35564fbb0bfc14a6f8e07ae0b695a147959c335d5a52f575b920c53808b54ff9e72d7e6dbbef8646601b76c7089290cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD5f5eae9d766e5e4c46b44a67b9fdcc08e
SHA141a54a5987f2f535bb3c7e7bc5baa80adee47806
SHA2564fd1251b9c151bbfffe5965d7304abd0070e90b08ad6ed09ea1e5b26a1b7f0d5
SHA5124355fd09e01c55f787549ed0abd2373544bf160f02b2aad37b74b1ca8f9770a6650c314543347f1dc7ed30c833e1b7ad3c12285fdb57d3f26a9035e4a4e4a7f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003Filesize
17KB
MD5f9537b61ccfbdfe7fa567209721dc9e8
SHA1a560d06b80bcb03b83c50ed7954ac55332170a14
SHA2561560c55bc4dbf4c83dd6cfe8fd68897315f58c5c5340f4c3db573a47aa05a8dd
SHA512c19d8f4096871fff58ee262b61e82b46002a97c45815bc9aa218f18f140a513a8cf48601c1c04c9a6000a0338698f03ac3732ad396ad42730bbaafa29ecb32d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004Filesize
17KB
MD56bc4851424575eaf03ebe2efee6073ab
SHA12d014fe2feb929d03a46322645a94556ca5c9e96
SHA256abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e
SHA512af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005Filesize
17KB
MD5fc97b88a7ce0b008366cd0260b0321dc
SHA14eae02aecb04fa15f0bb62036151fa016e64f7a9
SHA2566388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e
SHA512889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD56860056736cb087258f652a6ed32480f
SHA1461c2d5c0f8122a6caac05e968a962b1890ce1f9
SHA256bf622ca32d6ba986d69d2f5d296b0993326ca6a0997b9ecc4ff7b6e7e4d3f5d1
SHA512ed1a7adccea7b409550f51439dc238a7fb857efd1a21a6877e6721f5741b3303325b32da07f2bc955245fe2827cee4152853282da86df470cec686d04e7bb158
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54604288393902fe33eb510d58a7ae6b5
SHA1fc536b658e277678479da99dd86b2afbe77bd96a
SHA256d81ff3b22525cfbdd1ffa7b3104fa7755873eb61929ca8075312b25e34d1d2ec
SHA512014823aa67dee131483f46831c3b6a500c5689c26783285c8e23b195877a657f56840df92e6858dd68b3d216ae47cd7c96b2b1dda4a840f914400ddaf64bf535
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD509c182f38dac270b7307498f1e1b197d
SHA13f21ed3eb4794b41f960b27cb2afa05aa178d2d9
SHA2563744c1e7ac9358e6b61d1176c56f49c4e83f65fab2edfa83663badbf391c5291
SHA51260e67171485c815350b3603e711b4fc8dbe6dd4a574116c22db4affa37abbeeeb95a52b787b3f2fbca0cbf7cdf681f7a7e67fcc403201554bed4db1f784c1302
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5f330c35eedc23791f7ab47e24db087b8
SHA10ef880bc39677fea05106b785ba23a1d8e231c86
SHA2568c9952970938c4d2e5bef8a8c7c0cd68c42c3860a0f7ba60d306b551cc9cf19c
SHA512c2f6a201862629255e6b58b8528de9f0677d18e5e6a7771f59122b8a93015d49311efda544a3a3fe7882300593047463e44339c98ad736e4f8fae0c9b07fa878
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5cdf4541bbac2242c3885f94d917e10f9
SHA1ea73c98ae373485c123c179592d92c6936dac2db
SHA256bcbc7edddbc3025279622e19896e747d2b56900a27783a4c98c8ce348b1447bf
SHA512b6a3fd44b4684da8a5d309d9db0fd07d3b35be9c480b1953a9f90e28aac0a457ef83d486b6520efcd5b7a706f8d08c835284525e57b6e75cad87b7599412d6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55af1b63274579a8bf2a89ef531e0be71
SHA114027b253008a7f4479167b18041d66e0d633c87
SHA25605f8a68b7e3f9f40514749c0d364274b0f613114b19e700b8c31c4da9a782b1e
SHA512453ac46dd01b929a9f15a5cdf4215735782b3096c57d2b51c128b94161afecadda074b8b96eda7f45a01df2fbd20c40c705526908ceba2f3b5c1fe12e1a3ce6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5e597e98c2121eaaeec3f767a84645047
SHA15d360305c5a6b12cc7cf4b113137569ef5cb7cca
SHA25601dff84fe2d3c427533c8270271df4f89d93b4fb2c292d4b8f2113d08829251e
SHA51202eef09615d87cf34f910ed5d16a70f834e523d22554b42d7e7d27854d18c433f3a7c28a0eb9aa9dce820aebdf5097cc8a54c24574e809c79115ee8b9603b7ba
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD5d57aecbee47cf45f72a1c4a53551ce05
SHA111e7c6d74c34dc09d029f4734d661d1b2023ef06
SHA2564e556ce6520fcc8475548c2bb95359063f08f86a3c9b42b000fedadff5894a0d
SHA512ca7cb9aa98306bda12082b6d02aa39746116a8c6688065a2e0a0029eac46653dc68d6e78c7bb5c087cc7067b2bd8fd0b0e333ddab58f58f5286ccc5d2b8c13f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___85G6_.txtFilesize
1KB
MD541981a1054cc07f43f2b252e61c1f8d5
SHA14cd50d8f520a051dcb7aca1aeaf973ab5b04dc77
SHA256c6f7272e7dc74d7f5115f6f9529332f81946fa3aca59db839721416b198f2c49
SHA5122364b8e1a39a7cc3b9c7d624c835687317e3f83036f1b955a7fa9e67cf0c217f655ca0a379ffe8523bf0bb8aff50f39a563cd22412c808e3f484fb727d3d5f72
-
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KVXYQG_.htaFilesize
75KB
MD5e3dd50e837528a82e91b70667d2ebab2
SHA1db390d1a725be86a8fc4c1c6e14623a6269b2301
SHA25695430e85a0ed00277dd3fe50ab3c2ec97deaa3b5f057b014c243113809ad1dcf
SHA512570e2a5edb530e33fb11daf5917be64578d8bdaa96acf572af695c986c0a1fff0ca3d06452f390712bc5c24ffa080a43b61cdf859ef9486104f35688a7c2e78c
-
C:\Users\Admin\Desktop\Ransomware-Samples-main.zipFilesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
C:\Users\Admin\Downloads\Unconfirmed 482320.crdownloadFilesize
960KB
MD531afc8ca1b6333ea54e0d483a7a5bdd2
SHA1b2edb720c367ae33afa7f7f282b85fe52585df20
SHA2560aa1a07cb6479a5c4dc28984f7d97692ee0c3dceba83cd10ccbbdb5d9ee9ee1e
SHA512a2ed47f4e517bb985b020876f2d2cafeca2305748569744e42b72a7e95092708b4ae952af7276c9e2ac91d01cfd8d65b0b31d5df7c0234d0984e12eee6897f32
-
\??\pipe\LOCAL\crashpad_564_UOLDGJFATQANGERBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3776-1023-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1027-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1034-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1037-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1042-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1053-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1022-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1021-0x0000000002220000-0x0000000002251000-memory.dmpFilesize
196KB
-
memory/3776-1408-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1427-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1429-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3776-1434-0x0000000000440000-0x0000000000451000-memory.dmpFilesize
68KB