mountlocker | 85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d

Resubmissions

30-04-2024 05:29

240430-f6xncade75 10

11-04-2024 13:06

240411-qb4taafb9w 10

11-04-2024 12:33

240411-pq9seaeg2z 10

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Size

56KB
MD5

ed6e7169456ef1f41f6a45812dda7d98
SHA1

c82733e2d394b272db6cbf49aa8a1207c8d9fb87
SHA256

85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d
SHA512

0e7d3dbe68de4301501df68b1eeb36bf68ca3ea61091710352f68f09f8f9b8b96888ccb2419330b2fbd7b592bd98b583aaea818345c87d591b9b0a96845b8d87
SSDEEP

768:65h+QW4yKs5INTjabOSQwrPG12nFb5GnVWs6k:63XWNKQ2jnSQyNnFbgN

Score

10^/10

mountlocker ransomware spyware stealer

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 25 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

File opened (read-only) \??\f: rundll32.exe

description	ioc	process
File opened (read-only)	\??\f:	rundll32.exe

Drops file in Program Files directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\RecoveryManual.html	rundll32.exe
File created	\??\c:\Program Files\RecoveryManual.html	rundll32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.F30D4911\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.F30D4911	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.F30D4911\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.F30D4911\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4548	rundll32.exe
4548	rundll32.exe
516	msedge.exe
516	msedge.exe
1448	msedge.exe
1448	msedge.exe
5064	identity_helper.exe
5064	identity_helper.exe
2272	msedge.exe
2272	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exemsedge.exe

pid	process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeRestorePrivilege 4548 rundll32.exe
Token: SeDebugPrivilege 4548 rundll32.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msedge.exemsedge.exe

pid process

1448 msedge.exe
1448 msedge.exe
1448 msedge.exe
404 msedge.exe
404 msedge.exe

description	pid	process
Token: SeRestorePrivilege	4548	rundll32.exe
Token: SeDebugPrivilege	4548	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.execmd.exemsedge.exe

description	pid	process	target process
PID 4516 wrote to memory of 4548	4516	rundll32.exe	rundll32.exe
PID 4516 wrote to memory of 4548	4516	rundll32.exe	rundll32.exe
PID 4516 wrote to memory of 4548	4516	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 4252	4548	rundll32.exe	cmd.exe
PID 4548 wrote to memory of 4252	4548	rundll32.exe	cmd.exe
PID 4548 wrote to memory of 4252	4548	rundll32.exe	cmd.exe
PID 4252 wrote to memory of 1996	4252	cmd.exe	attrib.exe
PID 4252 wrote to memory of 1996	4252	cmd.exe	attrib.exe
PID 4252 wrote to memory of 1996	4252	cmd.exe	attrib.exe
PID 1448 wrote to memory of 812	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 812	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 3144	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 516	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 516	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe
PID 1448 wrote to memory of 4352	1448	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1996 attrib.exe

pid	process
1996	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E576E5A.bat" "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll""
3⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\attrib.exe
attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll"
4⤵
- Views/modifies file attributes
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\RecoveryManual.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff25ff46f8,0x7fff25ff4708,0x7fff25ff4718
2⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
2⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
2⤵
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1323271429506243590,8427388177752112741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
2⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\RecoveryManual.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff25ff46f8,0x7fff25ff4708,0x7fff25ff4718
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,10085005695274063558,17500634330273954589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,10085005695274063558,17500634330273954589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,10085005695274063558,17500634330273954589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10085005695274063558,17500634330273954589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10085005695274063558,17500634330273954589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:5408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\RecoveryManual.html
Filesize
2KB

MD5
12a8c957b680ec30dcd2208e2803d60d

SHA1
5fd53b025c3c731212e1f91eaa19c53015b162da

SHA256
847f63defd9fdf6e817436b3aaa50a29dc83a3063d54e83adb79d3cb81974c66

SHA512
67e3d5057ad29251d34f7f08088a5e42c6ee1f85afe2b22e38974aaea34a9d9c141d9258e65b8251b965f4b0572f5e4a61550f7040faaa1c3bc33930b364f4f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8efc4b5b-d459-4ce3-9042-e983479b9d9d.tmp
Filesize
3KB

MD5
eb53542b91111dd0b9cccc051fe586fe

SHA1
9ff24814ffcae434ea1ecb5c30179977029f0024

SHA256
ba0b11f464efe53c0a62ae01f0c83edd1383cd26a1fc268770f19ae50a673f58

SHA512
b2b90fce7cd7bba4dcb62374f75cd46ec6e7d97a0f6ec5976d53112003eaaa09250ab4dfb41b0121e54fd5a73024630d852f168a80f8d715bf7dc9a2551022bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66222A01-BB8.pma.ReadManual.F30D4911
Filesize
4.0MB

MD5
bdbc7634a0e55023335a2c957ab0c6b1

SHA1
6290502808405e94e8096f4d4a9554fe8cc051f9

SHA256
a782b1d8ee58336cf82c527d9d393b0b9732f832c8026dc6a24fe8c22687880c

SHA512
755f806d4757250b4440483d285845a26d989d49356ab3b8f8a075b8e75f173309c1a21016c03404fd881ced7466a00be088cbf4eafc1d2d6fc547430e4bcf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4df561add379bb0254fa9bf3e1194675

SHA1
e28f5391a730121dbb95864035a841f6cdb61fe3

SHA256
76b88e4539afde3a8bc4bbeb096f9a6169ab5040e68712fe0cb734b5c82b4403

SHA512
c3b507287e6585870912e1a1356ca12797bbc729beb580a8524ce9f46282825349646a06482989cd55fed4e3ca40085dab01a07ba7f0fce47e8a3604e2c0fab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
21ef8030766f5513c68e8538e3236923

SHA1
b9e82065d5cb8e5c3d623a3419fedae39a390d5d

SHA256
630752a6d07997f525f21011afb0560b51c81e430063cf5dc36d159d3f3c59ca

SHA512
4b6e1c7996d2c5d1a2771893e93c89737ce3d11b32749a54059f683587a68f82c6cf9c707a5d207c8e34f77f607bd0ab2b4b457d0df207b9036ce489cd63acfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6ce9f138630cf08c17cfb1b317c002fd

SHA1
c3414edaab413daefde83776447e43913a8fc5ec

SHA256
91ee1dedefb8ab0877ae38c1b5a0d9c27a22a18a4095c6ef74b80367cc14270d

SHA512
05171b2a7fe5593acb87739d581374551f0a2c56b84e3fa3439e767c7bb60668052a7ca0ddfc6c2c9c444f8068ff95de15745e19d8c5946f265b5541e56040fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d323748745d081a980450b655a7afc21

SHA1
83183636a5f59e5808a64f628a5bd771f8f406e7

SHA256
65b4f7461e48f70d4843cdbf853ca98a87d091e690dc981aea61936b45bec285

SHA512
76e5533a1b0c17c76367da52680db4590b7581468c7f1d95cff252e73d2796fa25335994dadb5b791f16f133e150f513677f011deb9226ac4494cc34eff219d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
d5bc60a3b15d118dc55877a18af9391e

SHA1
b1a3cefa3a241137fb1e12ec3eb84dea90165056

SHA256
f05154696bfc5e3099fb8f76ce6a167011753970b597561a5101d7047ad48f09

SHA512
2dbe0fe1722e0253e466e01b1b970cef08e16efc76b4983cc85c3be2201892289758219f3380190ba7d39ec9b74b7662f1d0e35dd542a4145f8c8bae5a2a9d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
308c7ece6687ea2c3fb6041a15b36621

SHA1
3e51d8d99ba8aeee2328ef8ab59fa84d5b3199cd

SHA256
847b97e50d17ddb98b72ba72f8c9badd706996c0e97b16a387f94474e99a7273

SHA512
7dc541a94ec77782edcaab4223d7ed94fe675e4b194629ff48ac5ecbc539644b9d2bb88ae03abf1c6788396454aa233ac05330b6e28e118654f415c9306a95dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
20KB

MD5
71c47b8f44867d805fed290fb0a18f74

SHA1
a019b3329dd49f91ea94267f19de580c40c6ef67

SHA256
13daa8fe29d46fda8acd97cacd7baecc700b2a8763538709f8282941b629865c

SHA512
f35b779a06ef83496eb5adcd1ffeb20c144cc78ced2d923c5f87f9b9220b23c31a712b7518f691b58f65422a28b48ad569a43ee23936fa6445a9d8251a9658c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
3e794ba6f88094580ad89c38cf8dd067

SHA1
3bbeb9c7dffb6d292ed007568039df497ef6f5cc

SHA256
9d13065c06297629884c0333db5c96f33591824ca45485b2d11f843fcb92c921

SHA512
2011aaa618f4b37e7a0526eba46be5f47fb0978c6048632176b30ab746f0e567c06bfdfc759b3a39a471ebc3378e358659fdb35ba6ee3b97636326a35036a8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index
Filesize
256KB

MD5
9f66c083b532d6536a30a7885f9045b3

SHA1
b9b4778ed1b8a0e449a69692d4dba30de939e408

SHA256
28840f816e3403b8e5326d7d345ab60ec8d347a00a09e4c1429712fa3c4d1b02

SHA512
62fdb42fabecfd3358470a9b8a9070cbd935dba89fd1f05c11c06e33d8c536caf0e1ce58994e8b52e6af3e5a432d5cc8b617c1089936423c740d55e53640fb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
8ef575b195ba14a6496ee8096967f52e

SHA1
7d8cd5e5d5f0d06a9ec7b724efd718ba571ab335

SHA256
9b90603848d8378441a5189e840d04cd2a4dd1e3875a60720bf353afe5b74529

SHA512
f313126072d6e2be8e3e427cb245c731d2745543a58e3c183270b0f29f4fc784f9503d31ee2603b8bdcc49ea14a6523e49c91167a11b46f5483d47ac1da169fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
623B

MD5
91d24a055f96c199d30347604690ba61

SHA1
a0d8417a09fa2812ae49c331af6d35d12965939f

SHA256
1ce1b83bf535f04c4a4739ff6d7a07eb13abb344fcf91810a95e03b5722110a9

SHA512
48bf580e17240db6e8a6f4a5fcb0d89dd0f5e706821e503d82ebe8fae668e1c0a4912f31eac5943e11d5628e0648a535fe3ff7ac0958d53b18ec4816f9470bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
477B

MD5
d0badc7a9e1ff5b590bc767f8bc76e19

SHA1
046b147bab4fdec15f96a49c21fbf1b5396925a9

SHA256
e7cb94effefd143b0739cdd8fc23216240bb07655756c8cfe0284874ebc35e51

SHA512
0c6825ea78d9b5620104ad7ba08e6e1f09ef5ce835e511db8c52786a4db35317e8072598d56cfefb898fcf45d636de56690fa190d5c6859db7b7bcce8d1e0033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d9d7ca064180d80ce8655de95d4a0283

SHA1
0a60cd8e60044ab7ba1f6fb7d1acc4e53fc7bc46

SHA256
8ffb16be097201e6f6184d86075faed976c824e7218e6df9b20171c5b1cdeff7

SHA512
dee8613e378fc9b425d61020eab1123bb4fe31c83878eebc18c8a615b0a95cea59d0909a6d4b76a9561ac7ad1eaa2c2daa6427e9beba3605657fbdca1cce42ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8404cc851131441d0b3d493f798a5f21

SHA1
bbfaec9cb2cd503de6cb125195f775871c652f20

SHA256
85f5fb3dcdb129a3230f22cf3e9c9a0e0a7c967ba20fc1b9ddee2dff280666c7

SHA512
50fd8f70bacf5d6447e056df2bdfe59e5dd5a8be20276ec352f55b2a156b427939885338a2824fd6bc349be6ed203ef6b64ea2e6e03b42c7c11d719f4f9363c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
d15b7a70d37d5e9a4511e77b4a9b6402

SHA1
42d908af05f0b9b0869b003db57b562e1da3e36e

SHA256
26db9a37a2a405d407a47b5bfdb6675f3463ad6f9dc369a2b2e63ed4e9cf96ee

SHA512
e02b0c4ec8587c99aba66e25541b65e12cea06ac7ee5d06ded2491687473a3db98430b62291fa388ce1596c784a52cd42401d7850b2ccd869ae63ec24fe87685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a829511cfbb82106438c3b69432fca05

SHA1
8b27abeb8710a48c33959df45dfaf6b03d523967

SHA256
f4f01799eaabf5bb6eead75587e6ee32dceddf5b6dd2692ee43e6a84c643f0f5

SHA512
68421d8c4ed6215d1707a0ebc28262a5cab599ae9d46fa45d247b802e9b0a0c1b125d4b2efd8fa6ce7680accce4978a2c776f3ead2b5901c02ac098decd51be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
cd36389e3fe2fd72d7d796afdd3ad282

SHA1
d2cc7b54e5d5fa17821e6f533eed808e34f1fd7c

SHA256
e5ebfb286e04ccd7898017bb00933f563d2d119ee53dba6697b88cd60613974f

SHA512
7664ae1037ea17b4f22e8fe86f43ccad4a18a9903ef5818a1b6619af459d2c7eeaa80a739e9542eac92c9e3feb933b63c78ac439021a2deae77dba08bcdb5aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13358928725055186
Filesize
925B

MD5
6c9be1f3f9c439c9af704b8d95e48106

SHA1
82151f390d497179bca8deef92eb96bb7fe9bfe7

SHA256
068c5e20f20b8591bdb82daa8c4163a8550c3b5b27fc25be4fffd1f66ebc7570

SHA512
4d552e80c5958d8436a5db5fa27bc5d9e6d56ddb41a616553a4edd9241cb4342ed300df6aa1f30bcf3240d9178d6d66684d8327c5398b6329029203bf461b381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
309B

MD5
8b69a2729b978b07da3b3cb16015ce80

SHA1
7cabadbc33988768b034724898bd6cd8f7d66f0d

SHA256
06ccb33bf6f002c00401212ad064fab3b24f1c5746f1968df52409588cb7b62b

SHA512
95188dcc0a3d398ed691bd675d7d53b37a9f2f42e2f7321b2919d017edbd146fa17430653b9331061c2d779c2178dc3c8f1d82769c4471015eb4633c9d0227fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\000003.log
Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
283B

MD5
32e88fe1c03ec022cc9f33232cb33061

SHA1
4e6f6bc1fab8e025d9cd737ebfbbd6b1de093e6f

SHA256
8edfc2422068611f50960a1dd975644bc35583fb70d3355b8b26bb1f965f81ee

SHA512
320cd71c062018daf4a3aa6dd313f5a454608e7a64f4e97ea1ec3d15e47d017161d6c72b5f23aa5ca1988b8767dfa9247cd4cacfcbb1d27d3e5558e37f79dc3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites
Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
4487b9f71b57cad3d43107c9c85e8991

SHA1
455361ddb2658c6438fa4924421d24a7945a5613

SHA256
dfc681b17d02eb3767c0d54003daa7d47dbbfb567ece56b5421823d98c6f104c

SHA512
50246b5db50a4a6220309a49967e2321b6c402f28503679e0480e85f642e89253c30e25b2cefc0c58726070b5d052af26081c8617e0647386fdd3f99cff3fb74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
6850a7cd8150e6e6dad560aa92184007

SHA1
89cb58767b56a6cd98c418db57e6366fc04b05be

SHA256
9c75048ff8ca2f1c1f82212d8ba83e32b7f606d8286e89e3bafec526cf54a4c3

SHA512
06405d8cd33f2f3f8404f79c23521fc382feec83c121a20ccca48d6f497984b5cd9c44940879ee69a4cf0314978a34caa41483f1fe83959edb3ef5848659117e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a06ea164-de38-4398-82d3-d88934fdd9e9.tmp
Filesize
4KB

MD5
177fab890ca8726b9944153de41f5b3e

SHA1
490c537f33d7bb4f4475f2c1ccb78951139d380f

SHA256
ffbdc11225d8f525f0967477f6ae00b8f04d812359d6bac0b2704a475e0394ef

SHA512
27b312e66d9adcd8e92ea9578c80c28d31e0e6e222695f60b7f15b80238733843673bc49e09021f45cd6e9908c80d544141e578a6040b8552dd0c7655d418cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aa73d079-0023-4daa-98e8-daa9ac3b4cde.tmp
Filesize
24KB

MD5
40f608942cff2a7f21240069e71a30d6

SHA1
7d8d95f230801df9a47c31667955f322f212f4a7

SHA256
9c63ef3449974953e9652f9ff571b5029b71e00042f8095fb078c25f4a2bc051

SHA512
0d3b740aaa84f582049d5237ab336e6bf0bf69a771f59a2dde100d9800aad7400d5fc7fcfeeb864f9481086bb0eb3e1bd7976a8c219b18ede9cec93362aaa524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\adadc4c6-ca32-47fd-bd5d-93273d1eb478.tmp
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
0b1cddda4c1a06d03c3c316682b5e571

SHA1
3398ab799967356fbce90a52bbeb267cc921f84c

SHA256
c3bc04cca51ff12d49c7de4c7160559fa118e49cc462bdac003b1ac0324c6eda

SHA512
763ced33cb9faa884f02dee3ecd3a4c6a9af91e450960e57ba0b88b5200887eedff4cbd92c508faabe1bf8190c7c97acef2e63beeebe99b0a3676f22c3f9a7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
80cf0a55783204e41e569ff1ffd80569

SHA1
c8a6a698d4cb15f9324a3cb415748667f68f9303

SHA256
1926b31f2da54ef4d62081c9e457e58f1793da840c74428bce8dbcd812825d36

SHA512
0fcdf7f0b337670a77612bac96770feab8386775341b8decb24a7cc23da4fbe32cc401f1edd64e89af6d583e1f1501420a6cd49923251b5b5515cadc5c61e290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
a7caf5cb449305b28a68054d734833c5

SHA1
d7b067cadc1ef864ddfdb4f77165c0379e0aa36b

SHA256
5b2dcd4eab7ae4bcbf88c58e2ebd8b178f629339a53358c30839b4416295d1e7

SHA512
7e8025db1228b9ab2f8ab7680299ad9e2d18918c5181c0018ddb982d3cc24c9df2f258b8677a25b420e732b2ab7699cec6be2dd8c5bd2cfb235aadc9f3d42278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe593f61.TMP
Filesize
3KB

MD5
432dd1d02e243249cf67213b8e1237e0

SHA1
4671c7fd1c0ea6543ed1c22b07a816a5cd4374aa

SHA256
1fb44768222131cfc3d03bc7621c479f1207cc3cb97ee0f2d6d883d35ae5ab40

SHA512
819013da49eb0b13faabd1debc1a15961bcdb5f1ba2ab2b5c784880de06e190626eab08c1fc2b015e1a79d1e12f68a3e469dbde27bed292891c08bd416b8c400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
86be991a283f369936446e0de8ae321d

SHA1
823958f33f8e06de2b344ac19242406314a3a2eb

SHA256
965bc13af416ed6f17f1ef7446d4dee9d11c78fdaa2acb148b19d04b6284c7fb

SHA512
2ad066cadcfd7b82896cb228163048609604166bfd6d7b778b44acfeccfaa392fdf7cd4e2f4f060f75e7d2b8371bb4ea969fc2734fd9d73dfbd37e2702df77df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\index
Filesize
256KB

MD5
31cb9b6f07691f0e56b3d7c97de73ced

SHA1
d5b4dd3dc1afc7f6696def93c0e2691312be4650

SHA256
00f85b3730c52872c9f23422c9aa7fdafc0c89ce296c2d4bed4bf83d281c71a6

SHA512
212f1d11eeb0aaee03c648be5cb1a2e3a1e69b47b3f82f48c5c6113b62b2437914c44d0352a8d78757be07fc9a407b305ea6f03823d62cda6fc13ecb74e4f814

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E576E5A.bat
Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
\??\pipe\LOCAL\crashpad_1448_PKXJKNMQBFNVSCJE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit