Malware Analysis Report

2024-09-11 15:17

Sample ID 240611-pflylaxaqr
Target FeatherBeta.exe
SHA256 21ca0cfac6e2b53068974d828829f5f0b7c064bbdc6b03370dd28d7ed0dcba58
Tags
xworm execution persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21ca0cfac6e2b53068974d828829f5f0b7c064bbdc6b03370dd28d7ed0dcba58

Threat Level: Known bad

The file FeatherBeta.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence ransomware rat trojan

Xworm family

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops startup file

Drops desktop.ini file(s)

Looks up external IP address via web service

Adds Run key to start application

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:16

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:16

Reported

2024-06-11 12:21

Platform

win10v2004-20240426-en

Max time kernel

263s

Max time network

272s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Test.lnk C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Test.lnk C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Test = "C:\\Users\\Admin\\AppData\\Roaming\\Test.exe" C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Test.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\schtasks.exe
PID 2384 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Windows\System32\schtasks.exe
PID 2384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2384 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4456 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4828 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2188 wrote to memory of 4412 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe

"C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FeatherBeta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FeatherBeta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Test.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Test.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Test" /tr "C:\Users\Admin\AppData\Roaming\Test.exe"

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=dQw4w9WgXcQ

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f4fc46f8,0x7ff8f4fc4708,0x7ff8f4fc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3612 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x378 0x4e8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8955960960722689223,12711077842388097492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f4fc46f8,0x7ff8f4fc4708,0x7ff8f4fc4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3753048675429016794,17716831690963887966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Users\Admin\AppData\Roaming\Test.exe

C:\Users\Admin\AppData\Roaming\Test.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 bin-hack.gl.at.ply.gg udp
US 147.185.221.20:11687 bin-hack.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:11687 bin-hack.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 147.185.221.20:11687 bin-hack.gl.at.ply.gg tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr2---sn-5hneknee.googlevideo.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
NL 74.125.8.71:443 rr2---sn-5hneknee.googlevideo.com tcp
NL 74.125.8.71:443 rr2---sn-5hneknee.googlevideo.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 71.8.125.74.in-addr.arpa udp
GB 142.250.180.22:443 i.ytimg.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 rr2---sn-5hnekn7s.googlevideo.com udp
NL 142.250.27.84:443 accounts.google.com tcp
NL 74.125.100.39:443 rr2---sn-5hnekn7s.googlevideo.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 39.100.125.74.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr1---sn-hgn7yn7e.googlevideo.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
FR 74.125.11.134:443 rr1---sn-hgn7yn7e.googlevideo.com udp
GB 142.250.187.234:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 142.250.187.234:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 134.11.125.74.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.180.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 encrypted-tbn2.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn1.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn1.gstatic.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/2384-0-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

memory/2384-1-0x00000000002E0000-0x00000000002F8000-memory.dmp

memory/2384-2-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tftw5ls5.u43.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1172-3-0x000002AE3C290000-0x000002AE3C2B2000-memory.dmp

memory/1172-13-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

memory/1172-14-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

memory/1172-15-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

memory/1172-18-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98baf5117c4fcec1692067d200c58ab3
SHA1 5b33a57b72141e7508b615e17fb621612cb8e390
SHA256 30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512 344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

C:\Users\Admin\AppData\Roaming\Test.exe

MD5 edcd8f5e42970d9c9006e45f260cb285
SHA1 57a23cb88eb7e272921727fe1e01d5368055f94c
SHA256 21ca0cfac6e2b53068974d828829f5f0b7c064bbdc6b03370dd28d7ed0dcba58
SHA512 8c793ea91caa2f35c38b898f030f9175bccbb57f154c6dcee970c355a7fe3808c5d216756cde35d3af3ccd98fdb5a4a9adcbd1c08f69274257fd476d71761f43

memory/2384-60-0x00007FF8E5BB3000-0x00007FF8E5BB5000-memory.dmp

memory/2384-61-0x00007FF8E5BB0000-0x00007FF8E6671000-memory.dmp

memory/2384-62-0x00000000025B0000-0x00000000025BC000-memory.dmp

memory/2384-63-0x0000000002790000-0x000000000279C000-memory.dmp

memory/2384-64-0x000000001F840000-0x000000001FD68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Test.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_2188_DUKXGUERGOVILJBK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29bbf4f058b02faf8cdcc5cc878337c3
SHA1 18b4b049be175d4201d766e1c84e7440ba2d32df
SHA256 891b58766e0bb2575482a5f4c0cc7ddffac417f76f7c99f7fd549d1aead5862c
SHA512 838f53404b36160eaac901957dc4104c65f88c77104ce7168b641f820766f1990c7463958388eb81e5dfe28a1eb10145001f3f00186c68964496dc8bd6865fa1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f5cba156126fadc576984c1be4e008cd
SHA1 52a7742f61e1a011f8fa124f534691a6b3c64f7c
SHA256 e6183aeb76d96e4fe9065eebdee790ede11fd869c515fe587f59aaaaf2aa71f4
SHA512 6e771ba5fcf7209ff9e9639ca3e29eadc20724a7e2cc9361ffdf579dd962339604f51a71df3d8a860c016762d8ad999f3f3b63d580dc22ce61c4205444b6f538

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e6139ec4bcd1c1d3d2acd873d43960ab
SHA1 e168895b1818c914e4473b21361cfc1c61c5dd49
SHA256 436ef0d3d5128a4fb80669b462717b5de92811c22480062bf26c419fe9049fb5
SHA512 139123ee23c2796689a23ee4f94da6f570ed3baefdb6b63f75226a574fbc5e34477ec2285cff0def9a9cb4c439ac22bf7c572fe2f26d51b1e08b2c7e7604fcb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 48ac7e4e36c7936081f44b9f43e5d092
SHA1 50ff3b9a8f452dbb6d537da55c8a115fd92df2a8
SHA256 c3b129e157d11d4b97f9fbde2ba19b6ca965a070cf91f296530bcb7772922be7
SHA512 9f22d3861fde090bdc1a1b7a042569e75d2c2de0ea2fb3f8253826d4f95a7f9f2f2439990b460a6497a7e01275ac22e4e4a33f04190e36f72553db1785363be6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e41c42ab30a386d8516cdd0843562c8f
SHA1 891e1833abd1d302af421a7fb3e0716397ebaa60
SHA256 2c44dbcc7102274310a3547f254da8ae12ba676623dfb3ae3f38f5d246876e70
SHA512 569e006c6783d9197e3a32d0856586ada414aebc59ca773d23ea41c29efbee54341295164b6a053079feddd968d33b6c96559531c897bf85e41c2bf98a0877b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f9ae824080ba083bb2c0c2d9e56f6c6
SHA1 5c9f5f2af9517ba338f2f8caedeea8dd6039b146
SHA256 d7b29bca2ad17c256bb4420a8f08b545d717f24503ca4f37a1a8ed4cfa230c1c
SHA512 b89d9b398626c111f9926a233bef46cdb8f598aa4aa7892370d4541e0030538ca66f040ece4e1884ca81607c80cf19204925774b88cda5f17d684c368a58673d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3e555e089c532ad8fdcedbc53cd68f04
SHA1 9b818f0918348d32184e07f57709074fdf8e135d
SHA256 365ef5ab331839b371de3cff5afc03cca2a413d6805327841f5f20af1d5dbcc3
SHA512 e6ca07a1c28db333829712df8896f753b82dce71cbd147c09f74733622b05a8466472b1cc3ba6b94b4de41933437bb2c7bc61dce0e0c08d8f514227d19b00055

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 26c65ff9d574a9e00a70afa5386c869a
SHA1 78b0a51c6718910b2cbc044def9a6544b5a11be4
SHA256 608f9d7859ff841d836e5b6ec0a408c7747865de9ee2134cc2dc79c5e3ad7371
SHA512 baea7da130a824699f7be7881568dd85d3f77ddd34cf3e9eb1a8c7ee18f2fbe76db6e8323310ee8875756aee7cab71d4686ef926697b6db716d84ad7f4666962

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 01fd2567ec874df640f948eb3d7c189e
SHA1 0c4c7cc5c62fbf561db2cc5cf7cc304e865f2e16
SHA256 f3c7051214f59fb5f2547fd3ebcaa3314c33302aa34ac643c29725702fe0f24d
SHA512 93c65f066c053294b7bb683f4df9b5ff476230dcc3dfa7197d7de55dcafadee56c4573e7fbb6613709e41f507ced74a45e96e15ab3d012a8df2e16b97b6f55df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58de84.TMP

MD5 38621ebe1f513b3782a9059a09362d64
SHA1 e8c9220072f474f81e9b8bd5e4ddec158156a3a9
SHA256 c4c05c202c4cd52f7dbbbe29fca1b66ad7f6447071636c74e1ce566aea7f72b2
SHA512 9d258c6f17650cff64b5fc038630d73797d802a0bbcc8b3b542d8f583c2f4e4c5c9167f1ce540bccc9a4be7f78b77c0a8f69c232d6ef0e9986dc284aef3ca423

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f1d08d7de5d24b0c2aa329533a5621c7
SHA1 ee8b801000c7e594d4ea14e44743b3b6bbbd4279
SHA256 5cc05d3bc7a81d79455cf16767e396264a00bbf1d703c29057f20a3f2c0f8098
SHA512 6f191355317ae36808aac52d0b91759330785debd2e82702054fb93b754c2e9b58b56ee6301c0d8dcc5ee1490422dc0e3c4a814818ed34514fcd6a0482c86e7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a4a247d5ec3bc2c4267c7dc0d2f30e16
SHA1 debadaba736efcdc7a5cfa69d6aff99f0de2027c
SHA256 363c5f88d1513ae9f3deb240fe7ae1737c095cc8f2d1c9e53d7ee7ceea7f87a1
SHA512 9032d47ef81cac2faf9ad43afc98bbb16cd41236587b50f21de79ed89aeeac3280a821a1d6779cf749417e5ddabd1cb03cf604d168cfb5ce8b96d91c9e428f54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9b1ff3f620d09b5d701da75c5c3140a6
SHA1 c61eaf9093c94c4aff0c30ec391e01b68ed7de6a
SHA256 63a81d53e30c9dcb8b233ff6c1e4ab723854fe3c855420f8f3fe36b66c9afbdd
SHA512 9f3478b49809bc3f47ce85ebe66e447a96f3111442b1cae7290dada4d5af8dd7e463daa816eb85a23cfd9121016fcd1ada0f85f90fb31b6a94429edbcac49e7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bc4b289c-3b75-4f3d-9c4a-5908978d947d\index-dir\the-real-index~RFe58e8f4.TMP

MD5 00066a85426fe2ff78427ee28d5b8e10
SHA1 b6c9f89121eef5d253dfb30a986e7e97d02cbc85
SHA256 b9ba5ee702168a0e9b4284d57e059137ecd9ebe0e9a74644423fc2faf0d296bc
SHA512 3875531f46eb4cf8f26ef45e3760c783cc86129d4feff1ec7583cb00717f532c0372129c518e3adf3503d224a7117a247f4beb42c78a6299e2061f75d2ace875

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\71c5fcdc-ed72-4d12-9038-52a7e0a90f53\index-dir\the-real-index~RFe58e8f4.TMP

MD5 93982948947e783ddf2874c9ce0e5a3b
SHA1 08fda4b7277251cb8bb21d06c2e882e90a3cba49
SHA256 bfffed51da185f3226b405af57321d44f4fb34ae5bd3b806e0702746a3e85a18
SHA512 8a326acfe983106205e20153976bbc37ef2d297456d3fbbc41008e4229d70f008bfacd9cf8c544ce29c83c372331d03e974fd6c0578565f07a9f2dd50174d157

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\71c5fcdc-ed72-4d12-9038-52a7e0a90f53\index-dir\the-real-index

MD5 e0b4dca9995a898b90faaf723f924b43
SHA1 23056fd7b6dfb7972cc8eb6922c65c1092e66082
SHA256 89c40b3847d26018679eade82d93d2c2e5a248d8f1f7018a1d2c77e2fc3fc913
SHA512 541a4c72cf7cf71d6440dffb9923b1ede534aff9a756cd1164923004129bd844ae1655cecd9754ecbd5834439e14ecd1a747843172e5b3d88e070fc2a12275ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bc4b289c-3b75-4f3d-9c4a-5908978d947d\index-dir\the-real-index

MD5 5d6d79e2f24611e1745d9031cd2c87f5
SHA1 10d638b534daa303cb987130923b3bd902bc8cb5
SHA256 26f444fea183fba5f359419e495e2d0d946625eabccafd58607628c28f34364f
SHA512 f25e048779ce59ddf5ee81d4145c203b7348a66c67529d88a2bb75485a3532c41a4eb70a75eb6f9d1b626857017e0b143b232450125e02e869b0f024ab7c989a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 644bdd0e5686866393581ecc9d1f0518
SHA1 b8e3746fb39e98458c1a5fbcf12b0a1a6c18361a
SHA256 84bd1383a6bcd3b61e5add298f102564dc9d4d55f7524690f824ab60296768eb
SHA512 ab34958980aa1f8dd74f0be80d49d3eca1e09d7e30edb715a24bcb8ed8f9f5eccd9daba3b5952160a62b8e89e57c5df77d360e19dd5b761b4d7f5cbb5e1f6487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a5fd940d448bdee5b41482045cef57a0
SHA1 ab88b74eb80638b7e63932fb6d004f48fe953120
SHA256 6d48bd7dd0cf4cbe36ae7f36c05d58ccef1358c12f4fc6bf700a0d834f479237
SHA512 e72e01b72e21d86a39367d8766c51fc781ecfe986a6bebd74f4d553adf818a2892ef2f0f37bd5fe8c7bbf40199a10213b22c1cc7830e21101cb65ebc09abbfab

memory/2384-647-0x00000000027A0000-0x00000000027AC000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 d7073ae47c446575c1757bf593015e3a
SHA1 f31fe3ea3de0c783055c309b1f4826f953a987b6
SHA256 6baf038baec2ecb359ce6acdf1d99943b95f0bb5904638e5951a97e675ba4ab4
SHA512 c02de73d23b9d52679cd142c97eb12ec894cb99b0e79022ac83f92b6a9dc178ae1dabce4e9b707fc60811ee04b90bb5ce77f588fa924741c446ed39654c45af5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8287f3138f3b12243cd985468d5e9c9e
SHA1 cdc96bb898078531a724673a4ecc3e46f7ad82ca
SHA256 0678ace14c39e8b2562ebafae1710644308a961c757c7862114fbb2bfb39383e
SHA512 5c570d5ea9473e0f2ca2909473b60df0a6433d56c7aa143cff6879fe86143fddf03ff74c3ab997c32ae6872563f11440dec8f7cf55d5122e031dce64188fd0db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13362581896686116

MD5 c5c44ef6a8baf10e9859bd2aabc6ab49
SHA1 20f6c7cac7562ea3e5a21869c3d4b2500d5253ca
SHA256 4c752cbd4c2c22fc0538b8047339535ee853ba811e4e84ba1d73dc0b4b9bb74a
SHA512 0fcfb39a0b8ddbfca06c01289ee5ea7a1186ebbca7ecc8d0cc76daf5ff8288e3b771b1eef10f3a751957e6928793fa4d1de1389f1e71cbe45234d2e23c4b230c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 9b7f9524f7ef1c6403f2368e775b8b13
SHA1 70a1c5d4fb14f4c236f29c585439b3f9a8a3c0e1
SHA256 7a250bd2d3693dc12a962b0acd3dfac99384b3a9458a8b58311bb159f2297e18
SHA512 cfe6cb430de4d1699c1bc5124703dcfb9b997e26bc2586ad7c5846c0e56bfb365ebf30690cb7cebcbb8d0b17209fe0bdcd55124696868ea4ff72e0d5515dd5e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 09f1cbdd7c0b33b1b9b4d36cce173690
SHA1 28fd36a562ff6ba54a4eaa77a5d232769739f3db
SHA256 9c31daf89c646a3e8af7152c7f13eb0bfd651eaf5cf102fc2859242f0e0bc552
SHA512 bfa3e0db5a677d2250d71f2212b44e2c2317bf06bbf6127768477760e1fb861fd8619fe24feb9448525dd81245ae8b9d3c5b183a62855742127fcd8fd04acfe8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 3c191606998cc1f0b3aac8726fcefb50
SHA1 8b2c6cf844c70fe16bf50b5cc6c2028a6bbbde0d
SHA256 d8c182d80bb5f9b02b008ce673be6f09674c6dc02011d05f162764031af962f2
SHA512 9e2f1cb2fd4e1791d2227af009f9061c059ff94fe6807410475c07a846c88a20ed068e2798abc5ffdd94e22096cb4f2350914b012272ad431a207d4542ab6164

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 9abe1c32f821f384550928ee5e137163
SHA1 2c07a096b50930dc393d225036c20ae4213451b6
SHA256 1b3b11fd23dc46cb753d0befbcd47572b05b4860f7c781f54db916f70646a52c
SHA512 a7ce60d48e7dcd2f628b7542d3a2d88083274aa496766fad73a5b86af3509a75693261071ef8a793d36ac178349baa6edc63f7060387e900d1c9ebaa366ff27a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 2b6c2844507d61d50677ede90c4e06c8
SHA1 36d20f3426d43719549c917b2b5331091c348abe
SHA256 a2c113d4ff549814c9ecf31bac34a685b17369975c39db28fd66370c830beb81
SHA512 001c073d485e044ed07fcb3ae822ea3c0c29ecc3fc9e476bcea04725b0729aebadf5b0b726615e8c29f2be43252e03f5eec63f78176d85f3003e996a6a78226d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 4a35b02cac170d1fddcadee7b34b4017
SHA1 bcf421ba49ea60e345d64b1a30bd924f1210b6ec
SHA256 8386258121e74f10253da4045ca3e06093fb788a4763193b1d372489f6998bce
SHA512 acb2304ea5439de4505e6b7cd55c6f382c349627852d9cd707c86d1c87b20272a45953022426ade242dc0ed74dec2cc4e77915acb5179b44442af7d2445f0c12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 e4869bd7bf52cf2dd5308ac7dcc5f4c7
SHA1 6b44ef641e02a3db9f0f311bd7fc33d12f2cbf5f
SHA256 6878f03d5b97bbafe461accb70e3f0a56c56fad2cb6eecb4af04c30c98018bad
SHA512 fe07cfad9dd0738a693d5c77b4cae6bfd9c345a990028923bd04644f0507a9da6a1b3daee48252dfed5acf311cca2aeedd00a8e17cdc6a2e361cd18951a0aa7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 85cf078d46e4511bce00a961cbc23bd7
SHA1 47664974040266cc992096151598986543efa085
SHA256 5bfcb37e5fb881d430ba5cf476cb42dcc363fe5e1e0e6c248100cd432a8f0644
SHA512 ac4065808641f0c4fde65a3c6d03e1bf3fb049a09e544cb18eae0ae8db4ae9cf786d67bd2a97d291e4ce1a0e65ce3cee576391c28708b10878f880751b64f180

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 fe165965738fbca5c6b60008d54feb7c
SHA1 cda390236b4c8e92bed261a86f3898f5fa1bb556
SHA256 9ea0cd9cbfe75dd6109058dc38f000e5dbea86714e10e4dc5c4551c21fcc3366
SHA512 2fafe2feca37acf30438b0b1351f134ff7a4cfc2e62e253e00045cfa107949270db90a9efbfc09f9d2100faaaea1bd57a234b10e90192a48d45f6ecf0a7cc526

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 ce7043b513b563b961d82f5c4845be2d
SHA1 d1a10eea50d3ea16299c6e4e9852c5d8dd8f4a6c
SHA256 ad6e366f7f52dee4fe62fc42c4a7dcd39a178958768d6839c1bbd3e931eb0979
SHA512 212bb4c28b58611571e47cd51db5f6b20b7392aa1581816b95d32dc5da8b00721231211cbd71208b9e9b3fab4509f1d4c05479510f1cb5cdb821c9cb8b1b274d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a110c551b09a6093d0700e4faad46fcf
SHA1 c6c8bb93945dee02b8cbb57cd69b430cfb41289b
SHA256 9e6713ce7eb9fd0dd8abf440e7b8a3c1ace63fc74630faa32554520391a89aa9
SHA512 0b7a75399edaaf9d34a313a82d5c1bbbdc66b6849a9a3ea276803e9beaa0c4a375096d9336db516eaa77af370c61c95753ba04ed3ed8e280cce5eeae9ecd7559

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 9314fa995835bbf55d4d8e48e37e3c34
SHA1 1750842ee8fc24b99b6ac92ac7d0bec65cba974f
SHA256 53249914f7ab4cd19755d1d713cf8fe5afe24c54c504433cbfe4ae134bdb5c13
SHA512 da7e60479b1adf180dd9c1f33d216843343bd64096dcaed7362a848e8fc3bbfc19405f819083989e40f662d59504af42057ca0055771f5282c97805598aeb407

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 35b00972228266079fa636d423a6b71e
SHA1 865de218f6c86e3e974dbbd30007a5893bf660eb
SHA256 e3e30631f2f82323bd026fd09023836349d6a0e39629e27bf796c71f10e9268a
SHA512 95fb9075ad3e10df0f88367883a51aa79236ffa2b5c59915e9e25523e2b83a357f2428bdf5a5508c0a37eabdab51d478be3484f797d385d3f3d3efee0c999b1d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 6486d7fabb0af3e89f58fd0841938c5e
SHA1 0b4d736d84861468ab62a72df9a8c3dff679aff3
SHA256 62d1cb1f4415f596cfdb533bf6f3670272bc5933ee30bcbad94729b609b4c904
SHA512 50c97c3bf4c206658904c6a289817616aa2a87124eaae44d7e8e4fa8cf4fcd0c5316b8d93479765057deb0fcc44217879a524192eb8bc6f65efdb5825b23b9a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 9af053945ad9059ed16377a5257e82ef
SHA1 65018c35c184280fac08daddb021d05ec5a9f36f
SHA256 5f0ca0d9f2444192d13c6e514619e1c38fcc7e8409e56ad0b19a2d6d596cade8
SHA512 9a1b3480b63b8a1b1208ca05c539fae69ad55ee274bb8b9b22ab9fda8a7fea2d4e03ed607d3df65dc93ebbc332f9c80fba82afcd86e41113fb0602abd87ba202

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 aa8130f843ca3c45ca5b35e332e59c30
SHA1 02ac5e61125097d6be3f0d40f878e9cb4d84a235
SHA256 90ec199327c77ac5cc04a7031d5ba6e9a50b6e6be7307b8db7b8f932552e0d3d
SHA512 3ba70ed52d7267140b67136e18afe009b21d69fab4a75d872ac0944cf04dd10a7176e62c59b2ef0edf0df4ccbc3ea7965fbfbee53356f8aa185717179e7122b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22f6216dd740a404f92a44db90a6662e
SHA1 390e52212150ed4a2fcaf36eb386cfa05e12b1d1
SHA256 7a11d2ba9c30d9cdd23b2f5e7649a5a808351b6dc98252db11bb0c1dafc0c8e8
SHA512 5db78ceb172f7031ea3d04137f514c5ee42f72395baba676ff81ada9aeb43f65cd50f484c5c23489e6cbf56f6e1f17a995d1aef8e397560fc0f67e27dff44cd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007

MD5 f368ad6f7fb38c5f6b872d9f0426464d
SHA1 52e3b460e4029837293b9a542d4bc24121efa673
SHA256 a52b5ae6a5a8c4e00aee9a5a927787cd75c79324edd5999587e950c2cc0cdb45
SHA512 26d2f48d704b26862123d5b11c5be05b23789b871a6c58d37844781fb58386736b50b27d55a34f3cadaa1820ea682dfe5c95910c3c9338022da4c2322ce23c05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008

MD5 676e1c1dbe1c855e64c553be75493f50
SHA1 794eb15188e1680fcb180a41c87eff8395fb892f
SHA256 bc81b1cb877e290bce025b259ac0292b0d05404d15d8d3da0400b8504ae27c82
SHA512 c9edd1d7be2d4f0e70a4fb927608cc61664abf08d28cfeb0a7adc068dea865b4f331d74aa5a920e63b0c0653e99068d8b750ceb34966dff2a9d0ef0655b37ae0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000009

MD5 6bc4851424575eaf03ebe2efee6073ab
SHA1 2d014fe2feb929d03a46322645a94556ca5c9e96
SHA256 abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e
SHA512 af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000a

MD5 fc97b88a7ce0b008366cd0260b0321dc
SHA1 4eae02aecb04fa15f0bb62036151fa016e64f7a9
SHA256 6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e
SHA512 889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000b

MD5 a63ca0fb82b3cf812a8174d9de88f4b9
SHA1 a9d6ce9c91d79323fcfb0dedb75933c1b5c469d2
SHA256 8f246f25bcd4a06399b2e710a3fafd394efd3e3c14ed7c79355753c7d6a74f46
SHA512 40633870d88effb0ba9fdd2e7de9a2d18e6d1a66fb2952483817086b2c7261e13e93df3cf616540c8f949b0148dd659948f965b4f9a15f28abce67240b188ddc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000c

MD5 384e5b959ce3e59e12f93605f61043c4
SHA1 bb26bbf602cc8abcde380f1e91587f15c6485317
SHA256 b76542269d00a0859d591ec572b0dd408b2f4c15f0dae9c23be7dccfdf54e18f
SHA512 ecda40def5bc359a1b8e0e4a033f5fa68f7262f2b36e2149b1efd472a88673e24b381d34489e5bcc899ead1b057763eb940f7c3430dc88cdfcd03f47a0992e2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 10898cdca31720a0376ed10eef27ed5d
SHA1 88ee5c6cd9e09d4f42a66bdbf9ed0f2f9842fb0b
SHA256 5f7b8003cb2bd193564b07d258bb0d656562aeb4ca8db08404073b0c57214597
SHA512 36f80ccd8236f30145f52e822a018a54a347d54ac6622b8e9e05c9aaac042ca44f0aa6be729e1a22d790601eafceef2b9b4c186b74bf8ccacd3888e1fd893f9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 3f98a61fdd3e06668579d8fd97649788
SHA1 13a28749b19c09f38776d908ef0baa317e1bc6cc
SHA256 5851af8b165abe81e4858c39fda32e0d99115a698e677a08a088d822f4a975d6
SHA512 44910cc20606627316395ed75175eb8825aa13b34fe09e935266cbbfe6da2c6c23af3b8705607273ab8d83b612f7b53f9242d0cf0aefb0ef68bae75fde399401

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 1ecc52e988688f4c3b63188ca8b5fe64
SHA1 e3eb4df192ade5ed4d244b68cae9b11e8eca6412
SHA256 4fc62a60c9346e2bc447bbdbdbef9ccc006c0c6e785f2dfcd611d177b5be8a27
SHA512 5021d9d404bdd5f579cba39462d80e605fb57320bd6d204b440089e6f860aa21af60d04cf982c140d894b12d424ea5251e171b6a746b8a314d8f2001d942bb91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

MD5 06c1fb9c240ee6d61f031dd71dbe100c
SHA1 25d233dbed0048e6e1605186dbedc52052eedd22
SHA256 b68fefe58b5b3240fd7e4b89ab5790ce9079028108c5f0f6cd66eb9ca7314247
SHA512 f2bf30a9419b51ad1ceba9c58d76f43d42a19b00b51b5faa51b5c8285e1a771186b0ec46b6175f6fb48b3138ca4e2b21c3daec1b999b9207b031e53f1717cb6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

MD5 d4d6b7a017455cc2e4b5e0c2826a9c6e
SHA1 83ab6b9d1f9f19a66c6c560acd2007e1820d5919
SHA256 3d38076e1fec7540d14e43f250c6b46985df89980649e81c372572d9565a842b
SHA512 b10b9c5c5f2de4403872b2501da473d6a3a337514cca60702e65b81a71c84276e52e9dbc87956fae713e5c850f03b0e7a767f61a483c4799572d2fac75b5c53d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 305faa802243b8d66e23043bb4f25eac
SHA1 4e2d50829318b72706540823b170a1546844740d
SHA256 1211a3e61d0d804d8fbbd5acfcf66f99437462d4b5bbe8ef60a52248f49be321
SHA512 369fe2a40c1c490fe6494b201005f3fb4bc7594cef0ac787db5b482b7f030c74fbd601e445c7dd0a161889f412cd3a33f584b5e04ae2c74423bb907bc7757700

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 faca789e3c7f14444cbec7d4742e48fd
SHA1 a5ff4b5844dc86b13218f7ec5e6a28071a2157cf
SHA256 c42121764de717ae4a2014dbbfff2b5f054f933ab292d61b860bd3999c1a2e08
SHA512 a2671baa94fa923bf3b1d1ff460a7f2fa2282a62179d476e527aa3a8e2c7724a50a6a90f845ebdf84566f29fbef588e808cb4418d9643f9bf45d46bc1b6960df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c926627abd769eaad773802e89da051f
SHA1 ab42e6e556aca89809048da6e1676c63f6b649c5
SHA256 983e771528e43137b36ad621acf2fb930d55387847979feee144f9833f256cd2
SHA512 9fed74eecffc709b8c3ad9788095c7398f87456680d8170cd3525b0ae069989383f80080c8cb6a6b6949d6c4450a8788cbe71d7fcc81e742998e4cd7a13b3ba9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a6ed56cbe6e6517ceae48e3eb70480a
SHA1 f04a6bfa728fa3697221d360b9185819cdabba06
SHA256 f69a71d366531c379a2950d86c6755fbe3ff4667af71b870a8f65293dc94775e
SHA512 0bee956abad8ed9f665c048dbf24277d6be760f376a99907df44fae4505f7d4c7c3004af8e48d8bef2c3281e7245bcc8fa5a3d5b2a6b641a488af80ba11706ba