jigsaw | hxxps://github[.]com/vpn3xDevExcel/Free-Ransomware-pack

Analysis

max time kernel
425s
max time network
422s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-02-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/vpn3xDevExcel/Free-Ransomware-pack

Score

10^/10

jigsaw persistence ransomware

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (433) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
5332	drpbx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
32	raw.githubusercontent.com
107	raw.githubusercontent.com
111	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SmallTile.scale-100_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\WorkingElsewhere.scale-150_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemuiset.msi.16.en-us.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-80_altform-lightunplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosMedTile.contrast-black_scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBar_SmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-36_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadLargeTile.scale-150.png	drpbx.exe
File created	C:\Program Files\Java\jre-1.8\lib\jsse.jar.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-lightunplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\EdgeUpdate.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubAppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_SmallTile.scale-125_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-30_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\EnterDisconnect.doc	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsWideTile.scale-200_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubSplashScreen.scale-200_altform-colorful.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-16_altform-lightunplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-60_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\storelogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-60_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-64_altform-lightunplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-250.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSplashScreen.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\CopyReceive.xltx	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpBadgeLogo.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{4C70472C-0BBF-4F01-93C6-6E5F8F020817}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WastedLocker.ransom:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw (1).zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\jigsaw:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe\:Zone.Identifier:$DATA	jigsaw.exe
File created	C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe\:Zone.Identifier:$DATA	jigsaw.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
1432	msedge.exe
1432	msedge.exe
1172	msedge.exe
1172	msedge.exe
3176	identity_helper.exe
3176	identity_helper.exe
1556	msedge.exe
1556	msedge.exe
2408	msedge.exe
2408	msedge.exe
4856	msedge.exe
4856	msedge.exe
2940	identity_helper.exe
2940	identity_helper.exe
728	msedge.exe
728	msedge.exe
1712	msedge.exe
1712	msedge.exe
3552	msedge.exe
3552	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe
1220	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3940	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	428	7zG.exe
Token: 35	428	7zG.exe
Token: SeSecurityPrivilege	428	7zG.exe
Token: SeSecurityPrivilege	428	7zG.exe
Token: SeDebugPrivilege	1224	firefox.exe
Token: SeDebugPrivilege	1224	firefox.exe
Token: SeDebugPrivilege	1224	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
428	7zG.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
1224	firefox.exe
1224	firefox.exe
1224	firefox.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
3940	OpenWith.exe
1224	firefox.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
5780	OpenWith.exe
1224	firefox.exe
1224	firefox.exe
1224	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1516	1432	msedge.exe	77
PID 1432 wrote to memory of 1516	1432	msedge.exe	77
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 4476	1432	msedge.exe	78
PID 1432 wrote to memory of 3184	1432	msedge.exe	79
PID 1432 wrote to memory of 3184	1432	msedge.exe	79
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80
PID 1432 wrote to memory of 1232	1432	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/vpn3xDevExcel/Free-Ransomware-pack
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeda913cb8,0x7ffeda913cc8,0x7ffeda913cd8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,279377556525088263,8154755546439934551,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4732

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap17194:650:7zEvent18523 -ad -saa -- "C:\Users\Admin\Documents\Documents"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeda913cb8,0x7ffeda913cc8,0x7ffeda913cd8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1408,5910331637116925385,1927605168644753710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6368 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\jigsaw"
  2⤵
  PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\jigsaw
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.0.1562069905\127048612" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {886d4d1f-b304-4b73-b1f3-84ad65fb52b1} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 1884 231fb9c3a58 gpu
      4⤵
      PID:4148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.1.727713315\765331012" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 21563 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a63ea4a-a286-46b6-b388-4bf739a1748e} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 2280 231fb4e3b58 socket
      4⤵
      Checks processor information in registry
      PID:2092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.2.1912639817\872805502" -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 3152 -prefsLen 21666 -prefMapSize 233444 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58ccd6e1-9e8a-4bdd-959e-31ba7e978583} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3016 232009cca58 tab
      4⤵
      PID:1040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.3.58061011\1443306965" -childID 2 -isForBrowser -prefsHandle 3288 -prefMapHandle 3244 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff26bbe2-afc6-4758-bd4b-5d558cb1e10a} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 3676 231ef761358 tab
      4⤵
      PID:3240
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.4.1365395511\2147057062" -childID 3 -isForBrowser -prefsHandle 5116 -prefMapHandle 5096 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28362c0b-1063-4987-a350-b369aa5d6f8e} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5100 23202c08858 tab
      4⤵
      PID:5428
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.6.684854405\365382616" -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5468 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26a83eb0-e4d2-4740-b8e6-e2e4c9bdb0f7} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5456 232030e2958 tab
      4⤵
      PID:5444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1224.5.1442146052\975460134" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26298 -prefMapSize 233444 -jsInitHandle 972 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd2f6c1a-8998-4e34-bc2c-af85ace3d62c} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 5244 232030e3258 tab
      4⤵
      PID:5436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5780
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\jigsaw"
  2⤵
  PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\jigsaw
    3⤵
    - Checks processor information in registry
    PID:5876

C:\Users\Admin\Desktop\jigsaw.exe
"C:\Users\Admin\Desktop\jigsaw.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
PID:6100
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe:Zone.Identifier

Filesize
86B

MD5
1d726d00a7033a5dab753d6012eee269

SHA1
0eec68c618a8c4d44299dfb8415b9add0eb03863

SHA256
fcce59c5531bcd9542bc0fcd0427669e9527e71384a83a31199d91f157a01928

SHA512
c50f27a7ed7f26f928fe740d4086c863e7a3c5e86d85cd99ccb83534e6d58b662cd0e4608ac4729774d7028cd4b62e38349e94c67c80a8ecec9c5d637b1b0a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1bc1ad2d-9850-4fec-8376-bd14043d4847.tmp

Filesize
11KB

MD5
98580068e9084de7a70d9c85abafcb95

SHA1
f172f6df6ed4d89cb75186a1c82e5210f8d81e56

SHA256
a8a07c945269b22fffdc617e7f9e33f1d461ca909f7c2668c17bb34625aca06f

SHA512
a0efc603f6eae6a5784791efd73ef320a1b54868ef5e3fa535ce58ff0ce8592a8ace267f19492842b06d6211fbf05e80b8d049308ca4d6a398a5fd5a1c5c72e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d93269f035589f6797564a5bd95c005

SHA1
c993fa5d581be5db98f4905343f66121690a8b25

SHA256
a3ca9a1ad2cae6bf4fabe3bbe4b1b81a5689b86dab588ae3952c0a9e7eb7fd83

SHA512
4efa311ef4cf03d9645b77ae03598cd01afa5dd63b9fa0262fb27c4eef4c22c1286b0ae2cd3902f6ab0c7cb25778c7712d7a558593155515a02bb3457a0eea1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2c7ceb87cf291f429f733a7d224993b0

SHA1
a1d6761d08c43d807f4d763f2c4636f39f192155

SHA256
3d5027e5b592fa76cd958b2b68692624fc963824764223d99bf6ba2e08f3643a

SHA512
122268b311dbab26f0ba3a53557140d7045992b8077431fa536facc8da053c087c957e9f9aefc22f3bfd5a3c43a2213f9647f092dcdbe6fb055cfdc688ab9b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1aa77d60-a5c8-4341-b4ea-9bb38c0042d4.tmp

Filesize
7KB

MD5
294a7412b6f6c8b6d7e9fac0081e7fd4

SHA1
e7a787ca44cb2431e20bafce9e25b3163cf79523

SHA256
f4d8726e9f0b678ed855e42ccefa5a9b9ce932cbee15563f360d2c8f205b586e

SHA512
7dba669f3d07b3ee23b6f8edfbfbc93a4011daf428c73efa1180e254874138e650d6ae4e1ffd6008f95ae8aa8415de19dd9caed26c1591eec4e3a8681b73b92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
aff9cd04c97e5f2423df8a7cc68dd439

SHA1
ab18bdd27723f46727571d7b6d8b6355861afd3c

SHA256
b266ed4b9494487311c4ccdc82b3e629f21978e8a5cb6320e66b32c6fe768d41

SHA512
e562f8d5a798aa2fb2467c44d4924822f740679f7743a6482db1b500ff35fdbada9fb26a9330a1484ebd16457b18ee135463ce531bb65044acddf92c680b0d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0950c55ba464f89b116999b2b2e9029f

SHA1
5075ad014a5dcf456d7e970607ddc03693741d3e

SHA256
34b55e5d9ddddc7c312a3284b3cee0c7cd394c87c494e5c41ff0ff86b8dccd24

SHA512
f7a97ef3280560c310f2bc46a188938cebf47bbcb753dd78608b1a8b745d6c0203bbcfbfebbe17aa73a2b2fec80b8fb1e8a3da6baf814dfd27030b01695bde48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
005a12293c9ef92e89af7742e351f471

SHA1
e10f00557b450bfbce9c5c64793f4a4c48236ef3

SHA256
959b006eec5330c8769379c156ce78ec8bc40136e823f7da4bf8822da223d608

SHA512
fdc06d7fbd70a76756c1e53cfd5984e580e21e0af1cb7b6f82d5b926d01b2adb5fd51a6ca5a4274aca39ff4f123d093a5e24de825ba8091d65deafe15060f635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
f9b01944fa6afe8eb973f80e9cc7d6bf

SHA1
d85a0d54e9129fd7fe1340c3f58ded12d26fbe53

SHA256
ebdb9987aa0da05a7e8eec767fcb4a41f51a5fc43e4e1858adb723bd2c1e562b

SHA512
de24df4390ddc9be6bdb47512c35328445485dd86a1604507ea1e79cc46b589845c2607cb0a0488a582e05c975a5d7b9c1e510dca8671707600acd9930936243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
ebdba81853146d7e4f4578c0d52010c4

SHA1
deb89363da161616c1316fc3c56a3e6ef8e254c0

SHA256
2ff1c51ef97e9fd5b723f185cfdd01e6db1ed8a8c9ad1f773a32f33f0caa3caa

SHA512
38d5916031fc1657e1d6508dcfe60c8db06ccf5e3be375574fd5790c31656c0b85a471fbbe7731909cd8f3feda5eac0e944e9d1c21a7c97b8d4f2b488d85e70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
ffd92d9ac1ca6443b4a7c2b2e1289d10

SHA1
3676ab0d7fc11b5ae44288c6f851abd715d5f3e1

SHA256
43f60edf43b81c697ffbe94ec2d6da070bf11c678c55ee4d2dde0a5fa577dcdc

SHA512
acf9cc2cf15100ac34fa40cf807a45dc84c7d69b83e07f4ff412f96d76f4b380d504ffd053b73aa8c55d015083a30c9ad67fd6a599460a4f56d6d545a5bd0136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
241c1ce5bfa2fd286e083f0234c9bdc0

SHA1
73a7e4fc49461e58aaee5036b26eb8a54269a3d7

SHA256
741f0e411522f2866d08b2902bc390c02b04b14f6e2e25f42829efa0662f13d8

SHA512
3d3b73e0dc57edc11c6ea81538a0843954e3b340fe63539f2cab026f02b34ef6c115d861cb27f569f80493cbeeeb0ab8cc64c0491ec25a5b57260cf03b12749f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
90e0ae3d7c24d149b24bafa045132172

SHA1
5c37fda0a4be6bd707f6a5d8447b005c0433cf45

SHA256
8934d8e5d2361c72904c1d30bdfa983538b824b1d56271b6eb17f9cbf62f6e9d

SHA512
e749f9b73ffcfc20ef8edc05f0256916e5e5c91583272e9f7aeeda87e5f5da6601af0d2d74bc87b13db22acdebc7e51754e8513681b1ba7e5fc8f94890ea866e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1019B

MD5
99fdc0dd747c9764182f6ef99b8c9044

SHA1
54db6b94df847ff122d7918de7bb06d2b42b09fd

SHA256
5f2a9477a1d1667fd4b8031d46428ec25a7e414c737a9622d5816663bc05c636

SHA512
ddf17951cf03f564c7ba04a90445479a14f8376b715d2b5c22f288af290b53001ea1e48a2db2c040a20b32636f61128cf02f3e6622a7a0d6da1bc4e7cc81e512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
b8fdc8d04b83beb089126efbce00f896

SHA1
971ff6e70884b2cdf229be5a0cad066e3bdb085b

SHA256
c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe

SHA512
f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9798152c2f44e00db99392531ca5a43b

SHA1
f0ecb78ae5ce41ee924d97801d384bd3a7f2abea

SHA256
d698ddd3695f467dc3ea5723f91cfe3c362a99447d4d47e2be79718d8432790b

SHA512
ee355f0ff5dd755d7429d6a4ae080126d27014187ee5e6765a8f7628d560bff4ea7ce5d961cc5b6fffa767fce6afe4b04825c107d6b831d7f6dc55c505f40a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1547f09f8b79302ad1e466a2d1ce8000

SHA1
0cc5bd87c9048a5fb92aa8fe7fd6ad8454b43159

SHA256
2a093bedd213c9fbc446bb9de583831d29072b19a6404726f9588b4b0eaa8b94

SHA512
16ffcc0686361b2c8ac3b291654101919859a7a032c08e5148d7ae1d59dc7983825734d25e8f267efdb1699409621edbe08ddeaea44facb1b6fcf33ee38b043e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c615c5243bf5c65fda3951d3cd8bd5c

SHA1
dc203b3a140440e419b71c815c1039418427f58c

SHA256
acfa6952e1d85f02e788484efdc09de4759bb6bfcfe4691ccc23e6ed646ec4a5

SHA512
ca8e011ba222bcbb0dfa2168317b43a742920d13797b4cda7768bf6603ac99ec6a3d04e82cdb298ff839f270174729ff3ab67f0d30d34fef62a005bc209dda7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e46727478e59ed5508fe2e1ebfe53004

SHA1
1b4a612a0985b7e8336da6c72a631f27d4b3af9f

SHA256
72d537a3d0d2695dc499063401aac913cc033fc4ddac974aed17658a27df8e3b

SHA512
4850d4d0b685dcecc6e91ec7518d57d762361ef52deaa27be53c720b4c3384cdd44eb0ddc207f86ca144ff101d55a14db8f73e2475b7ae67119832a38bfb2c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a424619741db6ea82381ee1695ef972e

SHA1
f1ef70a409d81f4ead9ba2e672bda3f6d74aa66f

SHA256
f108f4a52dcac1e753557c9e05129f761706e23f0fee479a7621e85838a9bbc8

SHA512
9c7cd65f7689d0ecfdea614a6e1f76a5e2d293d49b6156361778dfc714e5900ec5fcd0f55cfcdead7bd9e90b0a6f0890191da471c722d75a757e5b7d6fbea772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
35b6bbdb070274634cb0ab7cc271b36d

SHA1
8d33e630f294ee78f1efa178cfabf3ce2b8ffb34

SHA256
875cc4eb84bd6f6dddb3f1ec6e4e6a4bc02a9c0ca6f961708ffca29d468b339e

SHA512
21cd8fd4c386bb59f03edd2b1355b9d41c51211ecd6f8cb66acea1e75ff016eb1aa9a71f1479288670cee6084819a0f87c708a97ee76ad2572f355e0ee2082e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
688ceb1ba7dc5fe705c17d401229cba5

SHA1
5780ed756e8ac4f2b30798077aa5c890ad942c6b

SHA256
057c68bff8edd640f0e2149586476229348e7f8935df634c5be171d3f7597cc6

SHA512
d580f6ee2dea4efa5e0c7d9cd1f4a40553543e26fcab74e3dc10c381450cefff4e4d4edb0d875249a7e0513bd51b2389417a76cdcfe4e161ae9cee653268b2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
758b9e72a8dda7b8ad81230a2d5dbedf

SHA1
a768c4d3a0af8d6269c5ac92e6158b0f7d01c2fd

SHA256
1526b4142fb90242143f19268f435f36900d227fcc65a9909973b1f7c2707383

SHA512
1390b668f14dc3ff88cc95f358a150fdd47336246db4a735d26fc2bcf548961302a3cb59ee8c961269e9815ce068d32989288e854dbd1aadf21301d42dc31734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8d10c01244c2d63d65b62912167581e9

SHA1
39e34fa6797787681ff2c3e3e5e5a0464cf244b2

SHA256
4595d253c1244309d16d687a53f6af123b03bc0fe23fb971b093038ce6ae1dab

SHA512
f832f809157de270ed645b9cdc6afd53c3beba8095a96452fb67d0e29459cca792faf6a2ae542dc00e06d5e24deb78fbde770691af4f2f0cdce1b3d82efa8ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
687B

MD5
119a3f9d932987d6e4fa5f0d9d8ff907

SHA1
c3fc59040e09cc423ff5899dbb3d4d542d4eb772

SHA256
987b7c8d810f2aeb1e3d648adbdd1cf5fc07a5b7b55566a61c0553583544832e

SHA512
0b7a940510c6faece0be1fcaf341d6e104e929f6da71dc0bad00d4dbc428540c025cd53e9909feb49ef56d620d6d82ce217d9735c4eb172e89e199971a23ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
18653ee8cec1dc6e33f30dcf38cdb58c

SHA1
7979ae704e614ed63fda836ec5928259ed3ad05a

SHA256
4e116a0245a960a0dcb614b3e736a11f921675dbf0f1fd4f102137536abda802

SHA512
3d1f21603d1596584148fdcff67ad7dd1e5261647582e2ec6427c9f167ddccbd19b9776fc675eb8d57a9c7cfa67a7f778ba385a630e8bd4d220639b32139f7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13353694531245093

Filesize
4KB

MD5
ab8338d3d91c720e4c73d20c483e0b3a

SHA1
024beb611aca8e9e6d525984749147390e8ff549

SHA256
f6ce5d7493373943619f9534616fa0a933501dc24e78222830a0b2b533fd865c

SHA512
19ffe6ea87e8080de1349c494e2955401b0824db1adcc7fc6f86305d6511143b0ec687862b5c7be86d66541a0a04e8e01d83ddf1f0e5626c7897e782de169bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
120c6859739c1de8279e1c557443b9ca

SHA1
9ba1243ea4c28e541698770a22d177be7e82bc77

SHA256
3509c6b4d8820ac5d22563f0cf0c76cbb3e73f4880f0a133dedbe96f6dad7db2

SHA512
44ea5a4861063570bffe8b67aba9d235c329e90ac6f449116e87d1ae0698efbcf2b6cd5dac91167097d2d28b97ade63386594f3e3a5b33a9f06d7a6e8100d422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c56da33ecb1e281e192d13d5ebccb288

SHA1
8c17020dbf218bfeeb3c95ee829a9c7596db5e61

SHA256
0ff40912ecd367d032eae5e4741451b3ce6812bd4c12aa0c3026b51a40ab93aa

SHA512
27348384995a90e8e23295476029132d1c1c4a5f83d92fdd94007a8e7e0b42b8c35b47aa429c0b640cfa9c5ea051b6263fc35b9df2c619e7e1e5fe8b762df808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
ed4206a19aec7b476303f99b6352e580

SHA1
3c1967cd527da2378d0b05b20a5d705eab1dc555

SHA256
1325aa8024a0ca029219fbdc881ee4fbe54a16c98086a190564b81e872b2eb62

SHA512
b161f2fa50f762857d30698e3c4a7d560878ffce593af736ce963eaeafb78d415d0d7bcb39af4226e2c9c4b5d17ae5688e3634c146e554d5ad2dae278dd83d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f42e8824cf5055f6612055d271dcbc5

SHA1
f37cbd457ba7a1d065e4195d45dcf704a2ead61c

SHA256
5e1703e8729df677c7ee0deb797505eb9bdca5cff4952438b468adf782d203a6

SHA512
dcd8f55e3d7a3d349cc08e45d5b3cb178ee505e2cf59025116c7db59d3583aa125bba5cda814bd020cb2f281a9df50b88043564476b03bd96e6c50e7b060d0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
88b4279fb73f08ce09f92c459f859654

SHA1
1f927c8b06daa07f607bda7b2004993f0e459718

SHA256
ac30478f75bb674f1d6e5c6decf03b79187225c68f2035045ffbf5c3ad44ab8b

SHA512
11d65a4ff82c5161232b0f9598e7962afadf4daf2a10672a468c2640dec6609ef329bdf76a654238433219034b93899c33e8f76f906aa6a1f8841b132ea3f93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
450ffc177bc9759d04cef877a15033ed

SHA1
cc2cf8463fd9bae737860a3b34547dd293de13f3

SHA256
40df550ed9fa6a6d103e915de7cf552cac2e8480eb9e52254d6385ba219cb912

SHA512
34c53526337ac3c72a868c3dd77d1afe51fe8f95bca0ecbafcd3527c4e730ec1eaf066825983346be87c6777e4f4392619f199973763797fd442c81faad02498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d6fbe7a9bbf5500a733b5aabc05771d

SHA1
963d42047c085e3f7c0988a58c8e5d48d3d26dc2

SHA256
b05f39b0a23d994d6ad71a06e7e34d8e120b4d6224ee3f45b88f788a2748e128

SHA512
a25ad4cc709531279b7ae935778d644ef91e386a67655ff495ab0acd100731b6ad8d22d3dc6518d35ea99a35c216f418f02e22f6c5a73de8ccb056aa1ea092fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
54631805c55157a69e2376194db3b7b4

SHA1
c5e831b8e5225c7f53cf0f0e7777de2db18bf087

SHA256
abcaf64a233bf63b390df4bb7e9245788ad62e46336bda48b64f7e4a9506bb14

SHA512
da2df7a9593944da20c37e0e97f58424395b3ebd953acdeaea5c582b24ee27a04ad4bfd945438d436108c0a825a23298207759acff00e5095ac7b6c7ac7bb10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89d38b6743061aa050e1f06e67e9b0eb

SHA1
f10b52ec7f49cb61803530a88868cf59e3c45a8e

SHA256
d78f6097daa8356b8b0152522eff4869dfd8fc68675cb8f50fe2400a3629ffac

SHA512
6c17942c4d96ec517f7f21544c93045581a76f532d9457af3022620372fcd9cfc85c7a60e4338623f26e06935f0ee9a956d62dc260b92760a595a893dac84ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
01a9fe881d43c7f88086f11306eaa761

SHA1
faac873d15dc1932134170338bcf15d770476936

SHA256
efbd67297195a529281b59e50a604a4d470fe2dc53feb45551206e6b39bd0408

SHA512
1089c3d4bfa5bffd55a65479b98cbe33387f1f4efba4d19615daef4e895718979ec013dd402e80854cc71b4ba7cee5b430c4695816ff33a1b0f10dc687e1efe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
5d9160ddce1ea2bf5546be8daf424da4

SHA1
0166ad4536f31510023b72dd7d24fca9d4815c48

SHA256
5916c8a9358bbd3a43896acc2d3f7ab26072034e068b03fa626ebd47b4de500e

SHA512
99e2848aac9cac4542f7331162fd831c07c86aef735fba0c132f6d4108bb4cb6eafae3fcc39c8c4e2404a965564b318012bf65cc4faac3f17d6794f71843f2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
5c13395b01734faefa6825b8a4074336

SHA1
03866bf5a840daffbb049160a2b0dbe0edc83620

SHA256
900f629208e589bc46c8357543633414710db14d23fbc81cd33a30efa0755817

SHA512
2d3ce28c70a559612569aab586a0da03feee371d70edc29c346f372e1867d864403374a13bc4f3a7ffcd895eeaf046b5a7e9f9432deaf05e0455f8b0b27bc8d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
73ec19e91c168aa6b5967ba0ffc4cafe

SHA1
825f2af611152ed1512e5f7e5b0b1067af6a18bd

SHA256
24ca38a3ab12d2ee4b5ddce65f10373d8be65fba7d52d7944c7ffe23faff3896

SHA512
d035d96448801c2ce062f8b8f7575d43b6782bdc77b981339101f63f5440e25bb68e0501bc0d69248ee471f4c5d53adc718bb5c1bc5a67094869716a2fbee46a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
a2e20d40af858ea6cfc58b2db04dbd98

SHA1
6f7e75ae99a39692806d6ae387127c9ecd2d8ab5

SHA256
036d73efd0743902d30359b3a0fb1791df2ae457100d6566b0e2478e718db338

SHA512
27d438aa6bed88683c0a28a87defe47fbdbfda0548c833e4c4c7703bfffcdff42aff476e0bb74250facf151d0539157c1989c017a9b75c760273766976eeb49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
3201aef1938833f85e11737da6328508

SHA1
39e0bad4caff5c3f132110196578e9e909ea4c40

SHA256
0304856cd76f631eeb69177340318e7d16c3b48720834becc800bf71307c9703

SHA512
5f7f221900464d5bd605434c5b71185e7ded0374ff4033c4e5dc68c9a94bca07a520c0fe714a2cbe711ff4d27491e8ccd4680fa884d49d4e90c0290ee70461df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d19dd67d413d8ba7ffc775fdf2a32980

SHA1
2d65f7ce3d88c51f1aa3f578a921b103d1f4016f

SHA256
38483d9fc134362bf77676088fa6b9ef761a83eba826c24def868400e357d9f7

SHA512
65a32bcbe550e396f77cc5e3f8d134fffd68aae6d9adfdd63386f49cbc60df70dc908fc312878844d6c4ea676aeaf25bf196fe3ebacf8e333469f62e5eb81753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cd71a999673048bc77827cc55d2d6c1f

SHA1
e8ac08ac7703959cd49f74a129775a0b9c43979c

SHA256
4773e5193c6c207886e771e52332ffb4ffac526ff2b7cecee708de8da6c43d72

SHA512
27d576d9313bd3e26103f931b870e61e3ee91acf2904a96fc378d8d31ca178e3a1e517f2174407336dcc9f953920e4a07e3f3be9c12701c8ab709b630d40f1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9173148c27e27088ad2344325c88f274

SHA1
da1f4050e642c8ba9482567e0e12d781767dc5c7

SHA256
d42986c9415f51a60e6f7aaffa0ae411772cedf8f81208623cc952e10b889dae

SHA512
c03e6b4999d299e17c4a3c376ec3f976d43ce973fdac48da1db90556101cda17f6d2d105ca661ade66d554744a2dcb5649e118439fbf0035027df583c10e8548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6fc744b795f206f0eece99d99a73e585

SHA1
0c671ed21fd1e9453845c1744a531a5e1fcf4d9f

SHA256
9845c71165b93a44f9924f4e4fd1909f7334db456fe771a0f25481049430adea

SHA512
8029ca86b462e14ca129a09944f3b0d752734dd3e1624e92bb9b4284678d8fc0eba2f468c5ecb7a329f6fea5dea0e2e6b78d41b36df1bad7713ce7c08554e814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
42eb333428165baf4b8500693910dcaf

SHA1
828aa3b77e083e6b5996f7870eab2774d67eca6b

SHA256
a1b08d08889e292e3349439a77e105ab1f816497256fa436efd62af94b31cebd

SHA512
7902c806008d9b6c7d791b4fbf313c214c625adef133b63283a4ce1eb6ea3674a783f674e6fc7101941b0687cbd63870aee3db5f5bb47274241f3a1ed6000416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
c7535692799d61e5d2d0f7cb8e56b674

SHA1
eebe7ca9b21c753714595e14be8126746f6bfb18

SHA256
0b3a06689379934180357076c0ea9b7807340f83936522ea9060dbe0b703d9a0

SHA512
3837b7d5bd344febba119613a83b51336205975900a5188290caafb1bf9be6be6e1a14b809c26a925e1537ab20ab238ba910d5de13dc5e78a9ab6e89999cb20f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\89959646-9d1f-4358-9a6d-d28cbe657d40

Filesize
746B

MD5
526de2c6b59fc5d50758712327c06dc7

SHA1
55cc195f3cfc5ce5e2fd794743164e529b96cdb7

SHA256
9d854f883d79ce33890e20f3fa952cef230b1421215b946eb7e59c02b6fd068c

SHA512
5c0ac890cbd703b3a9617dcc5aeff96f7892cac831b1701e35b178f75c37e2735a002f47ffb7679cf80512a2e333ddbf684ef3892efc7a6c3e07db543b90000c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\c22f3922-5a99-4e46-baaa-65b74092b1ba

Filesize
11KB

MD5
bc76175dcb442f669478c4bea435faba

SHA1
de3786d3cba39085cb62e49aa395a1756becf40a

SHA256
55048f9811b87394bb5386683c21d2f6cb77ed23dbd40d9defab03f861a87413

SHA512
a90b41927130cfe08c3ae7d42819fc5845e45c40787b93671a3ccaf57559ac2a8175b1a7260c162e544a3c005812aa4869a330008ccce2b4b1b187b7f2543b25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs-1.js

Filesize
6KB

MD5
c014e323cc4d6178f6a646216a094c48

SHA1
aa6620fa8eb1564bb4d517f511c48494d98e9c12

SHA256
9b7237f7a9b595fdb54997c5b6955c9ea793e5494021c7754bfd44a56e5d366e

SHA512
a7c6512a6d3b275f2c5285c1b8fdf8bcdf73f965994d33074caba17f4bfc4cddf9cad4c27b10268efcbc65b32fe129c6fd02afe0f20464a7efe8441f7913488b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
1fb5ba42772af7fd5e3129028c50ca6f

SHA1
51d5a934208d4b772347296fd812983b0be91a69

SHA256
e88784b5b673e587a8854ae022c9d62fc54ba156bcaf3a7ab9c5b51fc13db17a

SHA512
5d82041e1861bc63196c9a82f1f61f5fcb0c08f0ee9d30ddf87e3d2a3cf40c37e95be95920495abc7e2869c9a4b3d95315f66458004f3ca14c0b377954162fda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore.jsonlz4

Filesize
725B

MD5
b3808be22c842b0f17647cdc69a88ccc

SHA1
a7b5f072fe24338c497e2df505bc95f8cab686d1

SHA256
2be4197d9bf0144bbf2c447a1bf76942d35d8fa35281bec74505967103146568

SHA512
8ee45acd66a32886780e5c3073057aa5b6cc2f4eebf8c6c5e81a40d506f4568f3dc5cc57d6881e4fb1e1559a5745ec3c303187d483f0df002e47fb403c1a0c86

Download Submit
C:\Users\Admin\Desktop\CheckpointFind.reg

Filesize
703KB

MD5
efe05f88070cdf6df81adcfc046d4e69

SHA1
1f006433be03fc94adc31e48541d8ce168500d10

SHA256
421e5a8c139b67e1dc858c40b92196b3b2af63bedd7186845e69b0615ee7df5f

SHA512
93d6fb6eac1fc439b57095a7b83e94266b7849cc0eedae039bc307b2b25dd839b5a3dd7b145b4303d30cca1b61e679cda66c194da5186fa8da25a29e2679aa70

Download Submit
C:\Users\Admin\Desktop\DebugRestore.crw

Filesize
429KB

MD5
1be1d30c364198c6067aff2cba9273f3

SHA1
924e90df2ca18dbf4534b1a36d903095964ab639

SHA256
a0dff4af063e87f6f51bf59bca2a82601950ff181d1946ecb08542ad529548b4

SHA512
3ad1a62171497e36ef0cfc554ead55f4c50b12d0388b763325273bce9fcbd1522aa7307dca33ddfaef9b129aeeecc3967a1af39073be8713d921245266aaed6c

Download Submit
C:\Users\Admin\Desktop\EditProtect.rmi

Filesize
502KB

MD5
0e6fcb17e305a526659e779b9a8b3f0c

SHA1
67dc3f637bb6f9212f066814cbae4b966cd91fff

SHA256
8b0407760183fde363be52ed053a775c8704e5ad14302449da5a4fc4ad3bf618

SHA512
1211c7de567e6e274807b3343a2bf8a357ad1a32951bcb49dd63685c51ae3ebe18bc8c9d29c6efecaf489ec095a8599249602af65b75f70ea1db150c0519ad51

Download Submit
C:\Users\Admin\Desktop\ExitRevoke.ps1xml

Filesize
721KB

MD5
7ef660eadb30fc3e8ab8f6489509bb89

SHA1
a2faa1917e8615be65caeefd28bb5e6bb7625487

SHA256
f56acb77a5560ef5aceb4c9b5d686ff4fd785ed1bbc640c12a5ec4e25b210507

SHA512
e8698472c235ba3825a0ef369918f7e3c2635bc3ed4f182b247767005fa20f264afce1cf0810474867e392bc4ffa02a8a0bd9c815ef6bfd5859bdc88dad2021a

Download Submit
C:\Users\Admin\Desktop\ExportRestore.exe

Filesize
538KB

MD5
70aced1921038ae87b52e26e2063033b

SHA1
390c99cc39cde876e7ab873ef85ef80d656b8d35

SHA256
42fb366efbb9b328f2a44d0efe71b5e9ddeb0e9240e2ee4080e6ecbfe2feae55

SHA512
105f442e1abd33a4ef93016c6eb86c1efeaaf68d88ef323d394c4d29be9841b783d5cecfdc15616a7bd2a07596fec1cded17e3157ea4c444e3bfcb1fc531d61b

Download Submit
C:\Users\Admin\Desktop\InvokeSkip.css

Filesize
301KB

MD5
dcf3f97afeb4f4299c4ac96192a7eb0d

SHA1
1864a7411644dd8e0f6e81a80b1e33ce4b1d42d5

SHA256
dcae27222c1674c96a32061670773ac7485b0135e115dc7e76701fa1e7dbba7a

SHA512
d4e3df45834e409eac95da134e17f0d49447081a026d3211d8479d0046e0d251fafdba32d4b6bc9e2cc8c00bf2fee3b2cb1d40977cfa2c96393bc3022ac4e359

Download Submit
C:\Users\Admin\Desktop\MoveConfirm.TTS

Filesize
283KB

MD5
c6b41a6be802f3c54daf4cd835d5718f

SHA1
a394754bd4ae37f7ea71bbfeca1d7a098eec6440

SHA256
08b0be5e861f35ee592f2bb407a2d9fa3a439793a26e8e57c162d7d273bb9a17

SHA512
9cd82a1817de9d079243b5ce131027699008b609b24536b91004137100ab713acb26d032d7a53e1df7c870bd93fec8e657bd71a9bbc7a270e6e5f9ffcdcf2b4f

Download Submit
C:\Users\Admin\Desktop\OpenGet.001

Filesize
666KB

MD5
3fde78750d423f547d71e87cc1b50987

SHA1
031c42b77704e7be78383233a9be07a0e6690573

SHA256
11e5d9736c93e808c1d1706a57d8fd7efa9a6d484dfa705575c566c917823e52

SHA512
83405e8cbb9dc28a094a89c71f4d9eeb639ba2bb0cb6d3f093ef80cc1326dc4e130aad5217f370e88f95ef49571d519d133054a5973493f68667e05a5c698f4a

Download Submit
C:\Users\Admin\Desktop\PingCompare.m1v

Filesize
739KB

MD5
225ad50027a4b1628952a9f627e06627

SHA1
ff6778845b91f87a6203e7ed8f7b2829dde5582c

SHA256
b8d6cc4b9b3efee10e963aad38687196a2983497ef7284b3039f5cfc5203f230

SHA512
8f0cdc1411e5e48ce29bdfe4fbbdff902390dc5fb6211cd06b4bea0ff28ccc8b35d72aad2349122715b6e1001141f9b7a7594778356d80d0ec06d5a153eed101

Download Submit
C:\Users\Admin\Desktop\PopSet.rtf

Filesize
684KB

MD5
ffe2e11853ebdf42502a85bdbdb16e09

SHA1
4441c1b07e454ed7c5b776ef83452cfa6a8a41e2

SHA256
31c7d631f3e002ba382437e48329fd5725f9c14e8f5f51097e691dfe807be661

SHA512
0e7accdd9a1a8bfb40bfa7e12234830daec878ba71341f4dc05841cebba3c1cfaba2ccff75aedeb8f167df25de49d91044511f9c71b3fd27acc8199d1442aa47

Download Submit
C:\Users\Admin\Desktop\PublishGet.ps1xml

Filesize
520KB

MD5
18aabb7c29f0e9a57f4af531e11c0bbe

SHA1
d68f063d28f9935b093453f849e4e606ea489c94

SHA256
c19c537df710ce792a84399d55d0817bcd42c4abe4cf398376bff1d7b6910cbe

SHA512
f7c292f5941829604521e58c44374195d69adb131cc0764347dc0a7843269c4ace597edc982df36b60ea46b25db5739619c2df7293afb4e63204a830da0af036

Download Submit
C:\Users\Admin\Desktop\PublishResume.ADTS

Filesize
410KB

MD5
36c0bf5198385ad8e35a69579439c49d

SHA1
b8c9e7b2dc0a6be6c3f3ea79e5497414ff5c82a5

SHA256
48c80daad6dc4960f28332ff393b6c195c07d0b63ac6aab5aa040e68918ade95

SHA512
97566e3932b89e7bd67a582b8fb90091c84e3a1aa013f4152b99111a966d283414f7732414464e2ed7e21c96cea3576bafd00bded20c9278c8f9138b09ed78e5

Download Submit
C:\Users\Admin\Desktop\RequestOut.AAC

Filesize
319KB

MD5
bb2679382c9cbe32603c23ed23376984

SHA1
dee036920d1707f4166cc3df03a8bc167c06bf16

SHA256
6641169552f863e51a21715ac4321eab7df029e3238eed22e8e86f1ed2f66b92

SHA512
6a92a611bfe7c0488792e44a21c0ee402474168d3bd1f295f991057ca05424abbed0f6c5ef4141c906222ba4a9aaa24749c801f901b102e9689075d3f9703118

Download Submit
C:\Users\Admin\Desktop\SaveUse.eprtx

Filesize
1.0MB

MD5
cc5de5f9960e27b08621cdf843256564

SHA1
b61a689f211076245b1f21e3bd4d094f5c2904ab

SHA256
13048f82cdbad8089b1fae3b53cecf5f0e55fd02cca11c36463e6bb43dbbe227

SHA512
08d9d710850e83b0aab8e9d964af4db33aeabdf658d55d50ab9eb3fd020d8d26cf3866c5a33d3c6711584eac44853183e93f18049daf07cf0b01bab707805e17

Download Submit
C:\Users\Admin\Desktop\SearchOpen.mp3

Filesize
374KB

MD5
fb0b95886f90257026b3306eb230537b

SHA1
78579f2d2c2ad590b7c3c31d8205d83e6f1c4748

SHA256
8d90392cbaea2fa84138d22b7556fc385bd6d75e6ad6de00893ee0b737313fd3

SHA512
2253ea0ec8f7bb778b7720b768575188a394db460547cb1d6a0c63613890ae73e0eae9af79d46e29bab3933cef67f0754d68ebc3079a80fc0eafd58e31bd5612

Download Submit
C:\Users\Admin\Desktop\SuspendSplit.M2T

Filesize
757KB

MD5
1706a705b20598ea47d3163bb875e1df

SHA1
c84616890b794a35bb837ac0858d5d1a153dfe2b

SHA256
aa7c7f24310c2a24bd9c06e5dcaa09fad4b7d0089b1088c74252b4e73675eb67

SHA512
c21ec0de7f59e01cbe704ff7fdb786ddc84dba5b9145cbda669b54182af75d4ac553948e9df88b7ec102c11054a4e676e21188f5a3c727dbe467911b4db5bf2a

Download Submit
C:\Users\Admin\Desktop\SyncSend.ppt

Filesize
575KB

MD5
fd6585278a0f8d3a5d9537ab32bd0f8e

SHA1
bfd35af0a2aa7786747f0afd70eaf1e1e5fb06e1

SHA256
84ca6cebc21911c464aeddbb32be5d69b689f6cc10c0dab60478f3ebe538fed0

SHA512
9a560646aa0932e74a9fd484c20bcee2e9b87addabbd14dabd18a9d84d78a073c46d64012be6a08147adc115efb3cfdc470d9d233b8a195f28aef9fb7d7d59df

Download Submit
C:\Users\Admin\Desktop\TraceEnable.mht

Filesize
465KB

MD5
8f21caf8342fa449da61374fb2cee5a9

SHA1
129917586d928392a2bcf595e0618f1b6477afbc

SHA256
b921a577882668145eab65f6bbcd483630e1fa028d184b21294f6d7d30c53484

SHA512
418b34da090cd4dae40957ff786f3cc59ea386649b9dc7ece8559a377fc71efbff021c53a4eedb4cb99d8dd258138ad5b49511fd1cd5bd1540bdac40a209a89c

Download Submit
C:\Users\Admin\Desktop\TraceMount.rtf

Filesize
611KB

MD5
507293645b7a47f089d30d2d3f2b8462

SHA1
984edfa60715bf38bcac8f21ca67ff7ebdeac6f2

SHA256
294b91d3863b622a1aab0324b0add90c458220735919120feb157bfdbf1bfb03

SHA512
55ce337f31512e99036af6fa6be9314a5e76c8df205067b938c9667b07e77c6e9b8321c6fbae54bde73ff643ba064a14b5063d3f47cd14330b010a76f9d8b236

Download Submit
C:\Users\Admin\Desktop\UnblockClear.m3u

Filesize
392KB

MD5
a9e5aaf08105f0193cafb8dc4eccd2df

SHA1
90aab37be6b970aac77a5704642b7ffc130e7437

SHA256
6d6c306d6b53673c6eb8a13238975467419f4a830bc7752a6aeacc792cee1fca

SHA512
e18ff39fc2aeece29e9af224fa90f328705c46399bd034d0d89e87e435fbf8d27b74fd453d49f8543dad5930ddb0923ae3ef98ebbfb49987a15bd50b67f6a921

Download Submit
C:\Users\Admin\Desktop\UnpublishReset.svgz

Filesize
648KB

MD5
374eefc385ac60f804b35b731a106da4

SHA1
22f7bb5af1889828f60a61764aad9ab3a6ac72e9

SHA256
d560bc97722db61aa91c3ace085cbd8ded38faf66d0f6800f5bf59f8ffef3277

SHA512
3e13a4bbd3ade635c766308a69cb0c618382973cae14c64066a3302ed5c0773e36197b1cfa9504a462a5372bb08e378867074273b192d5d880ddfafa452443cf

Download Submit
C:\Users\Admin\Desktop\WatchJoin.M2V

Filesize
447KB

MD5
1df5d241a39f0cf298ebede071d99e52

SHA1
c6858c4962024390adbea4b87fd5498e3b1b372c

SHA256
fba1a8a7c11f3022ab932dd177da8e35ca6cb995ad42b2faf18144fbcd058833

SHA512
e0d4ed8c4b8a1048cb983335b1532efcb4f9c37c6249ad52714109fd1cfcc2b59a46f13fe4fd27330877373733f16045cc241a976e77269268b2384adfd6de67

Download Submit
C:\Users\Admin\Desktop\WatchRequest.dwfx

Filesize
483KB

MD5
bcf7f69d44084ffd4e86f3a3e19a9231

SHA1
fffc5b849fe08056759b95682e5a159dacbc050d

SHA256
bc1e3e0c7f89f5325c2272bb387086536acd5ba99ba4ff787a5d9ca9b34ec23a

SHA512
79cac6ad8e260a0e4ae9b4b4a85b328b74d068654b996e23577054f360bfe6f8f9ad234bed448d73dd2d2f371836c7c9977a960d93b97cbd62f6bcc05243710a

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\nxqh6t5s.part

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
memory/5332-1157-0x00007FFEC8070000-0x00007FFEC8A11000-memory.dmp

Filesize
9.6MB

Download
memory/5332-1158-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/5332-1159-0x00007FFEC8070000-0x00007FFEC8A11000-memory.dmp

Filesize
9.6MB

Download
memory/5332-1160-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/6100-1131-0x00007FFEC8070000-0x00007FFEC8A11000-memory.dmp

Filesize
9.6MB

Download
memory/6100-1132-0x000000001BE40000-0x000000001C30E000-memory.dmp

Filesize
4.8MB

Download
memory/6100-1134-0x000000001C310000-0x000000001C3AC000-memory.dmp

Filesize
624KB

Download
memory/6100-1133-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/6100-1130-0x000000001B840000-0x000000001B878000-memory.dmp

Filesize
224KB

Download
memory/6100-1129-0x00007FFEC8070000-0x00007FFEC8A11000-memory.dmp

Filesize
9.6MB

Download
memory/6100-1156-0x00007FFEC8070000-0x00007FFEC8A11000-memory.dmp

Filesize
9.6MB

Download