Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-xrl2qsxbrk
Target setup.exe
SHA256 e75ad7de2b0cb0e49e744d6e7e4a605d5d76467f3438b6cb0207b471105d9d92
Tags
xworm execution persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e75ad7de2b0cb0e49e744d6e7e4a605d5d76467f3438b6cb0207b471105d9d92

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence ransomware rat trojan

Xworm

Xworm family

Contains code to disable Windows Defender

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Looks up external IP address via web service

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Scheduled Task/Job: Scheduled Task

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:05

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:05

Reported

2024-06-20 19:27

Platform

win10v2004-20240611-en

Max time kernel

658s

Max time network

660s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1428 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\schtasks.exe
PID 1428 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\System32\schtasks.exe
PID 1428 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1428 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4020 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3504 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\setup.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'setup.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaac0c46f8,0x7ffaac0c4708,0x7ffaac0c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,9712592778706338036,3824165567238197978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youareanidiot.cc/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaac0c46f8,0x7ffaac0c4708,0x7ffaac0c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5084 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x314 0x508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,5498701181983526864,15927713479593978004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 sebeee-39917.portmap.io udp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
US 8.8.8.8:53 youareanidiot.cc udp
US 172.67.143.125:443 youareanidiot.cc tcp
US 172.67.143.125:443 youareanidiot.cc tcp
US 172.67.143.125:443 youareanidiot.cc udp
US 8.8.8.8:53 125.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
DE 193.161.193.99:39917 sebeee-39917.portmap.io tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp

Files

memory/1428-1-0x00007FFAAF443000-0x00007FFAAF445000-memory.dmp

memory/1428-0-0x0000000000500000-0x0000000000518000-memory.dmp

memory/1428-2-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

memory/1628-12-0x000001EC9BC70000-0x000001EC9BC92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zx5rpgu0.qdv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1628-13-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

memory/1628-14-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

memory/1628-15-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

memory/1628-18-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d14ccefeb263594e60b1765e131f7a3
SHA1 4a9ebdc0dff58645406c40b7b140e1b174756721
SHA256 57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c
SHA512 2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 01fff31a70e26012f37789b179059e32
SHA1 555b6f05cce7daf46920df1c01eb5c55dc62c9e6
SHA256 adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b
SHA512 ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

memory/1428-57-0x00007FFAAF443000-0x00007FFAAF445000-memory.dmp

memory/1428-58-0x00007FFAAF440000-0x00007FFAAFF01000-memory.dmp

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

MD5 82169b627dbfe99d35fca87bdf7cabaa
SHA1 756cf0fd9aead5ea0b473dab2ccd52d08d65513f
SHA256 e75ad7de2b0cb0e49e744d6e7e4a605d5d76467f3438b6cb0207b471105d9d92
SHA512 0798875a6b92826d59d827c6d8fd37af6d0d6bf107b6e6904f3b9ea01c5112def72300fe0ea0142580401bb24b42f05ce94f7a20ce212ec4a61895b247ddd60e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1428-68-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

memory/1900-69-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-70-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-71-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-81-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-80-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-79-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-78-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-77-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-76-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

memory/1900-75-0x0000027AC7A90000-0x0000027AC7A91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk

MD5 c864a25d100712e050ec491bf687877c
SHA1 b1ee878dc6f1ae15f821a477ebc940b7b88907ab
SHA256 34585f867f3633ccb2730c9cfac6f95896285cff7c1d43ec4fa804f96d2c3710
SHA512 7085c50bd3183d837ad963c36cead1a5a1776839dac44f41b16d7b2adca1ed07555bb676773ad3f0914657e33022edd1a078f0d074da8fcd4da9c69ed6f26371

memory/1428-84-0x000000001C420000-0x000000001C42C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 e43554a677fcbf8a9b1a99ca846a306d
SHA1 d6e8999264cbcb9a8536163349db059c95a617e5
SHA256 95e96c757162efafc50a12a475c8bab0fd1ac9c12477abaaa4b561a4b374cc52
SHA512 099a92de87abfb82a24b1e3c2adcc7c38735da99b4a8fa55c469da2adf6c6543402bce179c9a946009b4334ba298d3f6dd61c47b5f7d46f2ac7b93933798894d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c39b3aa574c0c938c80eb263bb450311
SHA1 f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA256 66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512 eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

\??\pipe\LOCAL\crashpad_3504_AWHCXYHAQBQTPTTN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dabfafd78687947a9de64dd5b776d25f
SHA1 16084c74980dbad713f9d332091985808b436dea
SHA256 c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512 dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ea777f4cbe7a7c1d4cc06526af5c670a
SHA1 9e39dae7981fe55f49feeabff0fc3584548b5652
SHA256 d00da082112339b3e97229aa23bd218b858a0c4f7db5ed11d562c9faa0ac8b39
SHA512 8ddac604b4c219e47ce731eecb9ffe4099ce6e4e83a785be767f37f35e10cb7d101e9994fd3788d31c8dd4b575a2e863bede5d77f0ff3c0d27e3821ea5a12356

C:\Users\Admin\Desktop\How To Decrypt My Files.html

MD5 4ee570f156e01fb1ad71ae9153c86613
SHA1 57bed100161449beab252787f9cc641ec7e1b627
SHA256 8630bd6802411bb07a9c80a62399b8f7a547f8e0dce51e84eacd923e94eab06e
SHA512 458f317d082ca62e4a52fba1b4cfc5d0d83911634d55c5dbe696c5d297ca3c464f623f90e7f5f8035d2ad7965d5dbaadb5a1e3a8024df9c7c8373055512492dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 94a7c16198948617ca805be0f399143e
SHA1 83c2c995e289d1bf50b9644e8ba4f313ac8405b8
SHA256 3e0323f6adb30faffc619969fff24eea674b0d54f9864c6abaa950e4be181eb1
SHA512 2e1e1d22a328fca7cd540a8b862b30b713a377d32e9eaf5b316c5bd32019ad382e2fada844226f134956c76420038fe2b93598ec0e8e9e95699ee9b2ae272c59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4624c610b83a8ea0f2a0eb2c43ccd9ab
SHA1 1e357a0f137920cf8943d084445bcaff43b9d522
SHA256 396e40bd9c4ec13a9c1146782daf2f4e9e1a795f894d272457d53e13983ae88f
SHA512 522c928a239b4be7f116c0da302b2363f865083dfc5240a61563b9dca79a4ec18160464876e9abbb8d504f6acf269ea36945b8b287c391f4bdc913b085689697

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/1428-975-0x000000001B5A0000-0x000000001B5AA000-memory.dmp

memory/1428-976-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

memory/1428-978-0x000000001B5D0000-0x000000001B5DA000-memory.dmp

memory/1428-979-0x000000001CF60000-0x000000001D11A000-memory.dmp

memory/1428-980-0x000000001B5E0000-0x000000001B5E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 eab91b1e6b72280d41f8b1d67942df73
SHA1 90973b5d888e9f35490fe5ca5f38ef2fe8b525cd
SHA256 66694ba8b62018fff321e7202b41bd065968e6a17d24743640a2aecee458b38f
SHA512 b3c96b13166df364e4bef11d69639f0c9b1388af699bacdfa8ab785d287b03bd46a6da530c9b6421d9bcff7619affd1d0832b1848f34baf733b7c3bf2cd68058

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 b3c3ca308649178fbe5ca96dfe3c911d
SHA1 4414ea709d1abe590ca504ffcd50d38c22562b47
SHA256 b3ab872736d567cfdbc2b5b27f3b6f48b7364cd5d2962ec8cc3d6207ee981a86
SHA512 19845a736b1ec973a60327bb8236c13a95dc7aee0483b898f188b48502f3c721f09757b2280d3fcf3356f316e9701d2d4c3455c4a1c05635c5955a328d334b59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 ff8014e42c70bf284c0af985d8ff1017
SHA1 f6db9993a652526b67471b8d66e47456cfbf0d1d
SHA256 ede0be8b2ef34509271fa118185da86d45d1d308bde331f7ef48693f202000de
SHA512 a2bd66260fb8dd1200678573d6912c29742e2898fe8c68054ffda6214db49d9b5a156710a2727bd939eed7732c1aeb1f844b92675c74d83073992a2ed5d2b366

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 79f13416ab1d5da2fd356807a4bf59d1
SHA1 06246414229d25d2a20b0c4e69667b96f5a582d2
SHA256 387324641f3be1f74ec80420042d000bb6ca53fdf155ca13aef3e72e09181012
SHA512 2ae1b04a2c71c4b44c6c79cc88d2b6cd0ce79a046192cedb90452b61748dfbd37dbed1155be92fcaa7a0388a07c76c063110afc0c1ad27c5181c7aa7dbf6affd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363384932402146

MD5 db5457ca41b624f66c76cde62476fffd
SHA1 28c399a03d8e8e119c53814461322fe2ec9cf7ce
SHA256 d792fb07106be97504e77cd05b86c396b81f2204efe40a68213553f0bca6d8de
SHA512 216e90264afda42c983e88615e47bb81b7062bf94ee0c64acfa8276288dc4a60fb48742971b706a7caab1ea25df07841e80d9a55ca6ed7fadfefba2c59d17dae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 dd268d5a08af856a4fd26f6d919e038c
SHA1 dbdaad9940bb24b8673f0f2fa51e42bc7327add8
SHA256 be06b0539c30c76023da644352aeb9d9f491fa85f7de88346b8b29aebd8c664d
SHA512 6251a3bff579a1a4647e72dab922616e9831b351c5d0e7bde35ba150e288db65bb10c1cbe79261b7a9cb6d17d1fba435efda84ba72ed36328a96cd5ff7fdfbdd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 0ee24cc62c5cc62a22cb216956ca2453
SHA1 0ac492877c7a3494c6c6d00d7aa1950cde5df875
SHA256 fac5611268798db6290a7daeb38585e69b0fb28bd9c098b06287f27d16bc74ad
SHA512 768d68c6431515a065084c9fa97817fa2d351746520fde66d9cf425fea9678b78ad9d81d421190778eabd4303983409f48be6ed9a97439673e0fb63c0bc6c180

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 82189e26c57d45de7e292966a2dade7c
SHA1 24692165dd8801f6203f32b5ef7336b0f87abe02
SHA256 49622e3f1a4e45513eacae89203a194e49e16cf4938158624ee8fef219931316
SHA512 6a4da19b81e3d48a459b3c165c8a1330f84024a8c9def78ed49d361d772d469f6f52f82b8f795e3d022536e40e52cb5b964f87e335dd5f0d237bb968498047c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 55bdf38b655a312971f97058156ebabb
SHA1 d1104b1e918f06ef54041be3be24b06c0662f52b
SHA256 37ea53da049c04e9fe659ee3e0d069f34e28e42a452d9fd6da4926212a940242
SHA512 30f6ac4e78236790a5650a58e3909ccc3bb828d854070893d7dc002957c44a9aa7f4ab20ff0897d64ba4dd8fffa80b8ece9cba40e21c266a1ab971639d6612b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 773722a499e6036379f56af91325f3ad
SHA1 989d3c84b2c8664e798981cb054a820ca85097f7
SHA256 001d3b749ea4dd99e9353b4a4027b37d0beba35eedc3df2a0e853d6fa8d5841a
SHA512 bc752822420796ca657fbf7bb27dd1d95ba48b09417420f37feb78ed320dc918c7a72841f97df302586db221de09f82d7cf92e776e54dec48253eb4f4f51b0aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 906bbb84d4398ad4b350015c7b55460f
SHA1 836827431642753f3629033c1742fa1a681f4163
SHA256 e261a87c543b04c97661e98abfb4b436cbee20a1ea8f3e89a489b7fa9482fc20
SHA512 49ed5ff345e56f524f3411811e0b1f6428244e51d858758c9ca1987d9b9ec36cd6970c7cf9ca5404bbc02be32047035c893c64c15dcef7d23837569216969405

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 e40bbb439f031a320ad5360bc4b82243
SHA1 8de50a56f79fbf9362bdc86eec66f13745323dc7
SHA256 9d5e47e05103e1a0eb1017a48d782f7f53287417684f173862f3534c1a948d08
SHA512 da4097f39657aa488046494c299808e6ba8e9ad0a7d075534df4e566150d49615163a6d972f8132c1ea66be56b1c3458b7a08b73e0dc34834f68e85a06d910af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 fa1af62bdaf3c63591454d2631d5dd6d
SHA1 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466
SHA256 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d
SHA512 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 69a750f63b2661199de5bf2c3199b8ee
SHA1 9dc5c22b1443dbc415fa28c34c0cf307dfdc3bc3
SHA256 f09b39dbf184bd8fce6b71651bf1a7ba294484c09bfdaee3f188686201c81db5
SHA512 8421577ec57defef580fb3a0938d28abdae831d931aff94e55d5e6e59de0fd814ac94e4b2c0f14a23c114cb93ea732777b7d454454fdfedc7718627f83a7e2e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 d5d0188fee0a3a5066a28832e7834827
SHA1 5dfe324a604508f08ec68cc69ccb584fc5630b74
SHA256 1d3ed3673d07ee8d8c9d84dbe0f0e872882aa13ca23baf3ab9cf9037aba6594f
SHA512 9ecfb880a81e566d16d98408fc4239d9bd6f024fb094bf17e0e210b350b39ba93fa11c656f49868025ddff8d156e9f058c62cc48e3c3de088ab72649df4f06b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 ed36841fddb9fd211443fb415cd9910c
SHA1 22706027cfefc29a7af501969f631fa3309d9295
SHA256 2824b6d06c79db4aaaa979eaa4d2827007ae7ff96f810d013c11795aeb9d5e03
SHA512 87d9878bb3eccfbffd0436976d6c5a66fc17265f1a7fc77940ab9314c905e391bdafba44c45e77f2e56f761f6b01252a70404f1a30815ff080f77a5697c63edc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 d196d458d18d4cdc5a222b3cff52e8b4
SHA1 6aedf49f841c3b255aee33c7880cdac28764c946
SHA256 16dc464092ae62cd331f3e7a35c94df81bd2f67225ef2684cdf33a866c69740c
SHA512 242815d9d9819c628815301ff2d0da818cdbed25420f20d16396ead107a8146f861c9d9e7db5934229c468d5c7b0fb85054c538852b188890d414aa7efed6167

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

MD5 b9229deadad7d257782a2cdbea0386a1
SHA1 65e9a2e590067e652e99f06acedfda6899866d55
SHA256 7266dc40d407da411378476af42fbee28db638946a151c735d185c9a4adf1c63
SHA512 042637a80ae2658333c8da572a8548b3e6c9b6bd8bd3f56afe518fca999182f0d1041d8aa9270827ed2461b6570d23e853ce531a021170ce05e71148d8202ad4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 45f76233596b3d70ca17bd8e4d4ff1c8
SHA1 afb89e9da8d69a0e0281e24b9a35610a9791d321
SHA256 1c75f747abdfef35ec7eb62069785912743cb0ec0d7ef1cea10e12a75cda7681
SHA512 4c54f8948027bffd72f432e58a4273124bbfdef388f6e180cb2e044a487c5d89b8fbcedac1b2239bc6e9c81917f1ce2362efa7402a1dc65069d984dae1801d0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 05a79b9d754a56bd3a741a077a2eee53
SHA1 f9c34a8cbb6b931cb3ddaeadf32d0f3736becb48
SHA256 979ba8c485f28f676787df22f4340b174988f3fe24204c78a6a4b272bfdeb3cc
SHA512 a7195fd365c7427803aa9ea115c9706d648e5514c2cf6a7f568739aa3807a61a21b03d86a110d2b1157300fcc497fbad649ac5c2f153b033720158f091952d01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 064ef79b1ed0e7629ecfff8d0e4269ee
SHA1 bc1c19d01371ccf99e76845959b264fa7b1eb8f0
SHA256 f95b98e69c11b533032b3f9d56ca727d910ff377f8c2cae5e58a05aca954f077
SHA512 9d27773a2ec5f01c48ac9c20b9eae0c78c9355139794c8bb0bee165623998bb69b10b751177626d32e40553a5093d0c911edf71e20bcc5cda75d18a3ecd49bfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 08701b7cf076b483738a160deaa5dbd3
SHA1 0cd2178b915d1537b8b60b287507dfaf8a438d1b
SHA256 aa8caab00fcd26479e6a9bd78133ee1bcb64186ac2691a88f9c90437d771fa9c
SHA512 a8f799829dce155b1e978b7f51201a98859b56ca6cf78bbcb8eccc2ab8bdeb95041a9b711a003502b98e650df6d775ee1461ae28ca2293ee0a1d1778ca1ce94a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2df5aa83af43a544ebd5ff0e3a790548
SHA1 c0ca577db08ee988e7bae091e374f166235fa76e
SHA256 1e4a594ca166972b480e4e7a209aae775135b4ae622dc7bc7a157f7e4fceccd8
SHA512 cb133d22879de2482895af2caf803aeb826675ba5c0e14aa97fa65a1832076c416c379580a93c1b42482042bd6f06c66c7f6f3174f2038c437c6c0ea236cc0cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

MD5 2a815aa01c9cb43757c282f3d6b716cd
SHA1 e2c005f8129935088ca8aa3db31c7c795792a0a7
SHA256 d37da66913bd0ca334d4c1a6e51d1ea6b9cef37b1bdfe5bff7ac56e737742c47
SHA512 5cefa4fe50d814c0ab7f2098745494e62c2d0210445bd359b96bd2d2b1b72f7a0397a32605b385709f55d38f8a14ccfdac295ef7ab9e66e68b6c9d02b5b40346

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13363384932262146

MD5 d7edfcf9085b7a5d1b6d0575cafeebf3
SHA1 55807b2898d80c644d6317e8435ceebb03968666
SHA256 e83dfd14fdb5d05a541b29106e32cb5ef2e32384612261ab08d9940dd43c26aa
SHA512 2e461549b71c0ba08b33f09dcf39c2adeba64722fcfc92ec56b5b4b4cb8f1b28a90a4f8e29f9b5ba5c4e2bb566f3aa6db88775e4942c56477f5f0bcdabb20fb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 4bc52bd19776147d5f22e62338342f97
SHA1 8659be7737b0420a6eb7cd343c138d68ab448002
SHA256 8d436080ffd8cacb719c6a664522b35d4f557b2b344698260cfefa8fc90a63f9
SHA512 08a5783fa2fbcb084997b51aae1ba6ed7f09f9c9026af6b598a555b99ec52c656f29038d6b396a6f5d88f969ea74d9aabeb8f628c4b36cc40f5ff85161bcb886

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

MD5 101713c0ccb5708bb5fd3f6775f047c6
SHA1 88690bf9e67d4432c529f1591cffa540ba97ace5
SHA256 f41d5982493d5c17c9b7725af742272f8c809a2b534c4c8c3786e89b01da3c98
SHA512 88cb5d9465723c807563506c05100dca80b330a59ddee249d6546737cd7169f83c5477ebf32c2ee25fcf698aac4e79ba49b7f45838ddefb22d23c66c38f0be71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2dec34793b8725bf730d7ce338f3e76e
SHA1 df79e34f98b8ae50c85210916b1db3f47b002f41
SHA256 b760d300cbb23e9f15c794c9319d9687b10489ab1d99297ed74cacb1e663090c
SHA512 65c3dde6d6cf77da79cbf53d77f63b2293f73e3ca62f8b65e2538ad2d849980272afee5a1c82e0e85f1af4f24b745fc9a76b8c84437610c1a843a12dc97f608f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4a1b330688563a3441338823d24a7a38
SHA1 170909ce6bae2ee130d5ad1a5705db462ac7ae3e
SHA256 9bdda426ba88778741942cc27d50651460d255b450973b6eb9b446491b01fc92
SHA512 0dac57a0cc1b183091a400c2ee46c7d1c7891ad397c1c6d778e724b27c4489e8204f0a3534f18a9bde34850ddd511ddad21b02a3cd0b1948b24fe7353fcccc60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a0ef36b3276b7f45de6ab00c200a29f1
SHA1 951ebd63ff5472a035a7ef01a9659d8da9878088
SHA256 03db1865f96e979149a88ec5a662da6fc8e29f92b4c5e587aa93346245e4e313
SHA512 3c8ed70f5a737e12ff96b21e9d49d811053192a8c422b848350aa6eefaac9c1516ae1fd92df62df1cb1f5dda20a6bc0ad4b302bf0db9f6ec16bac7655bd67f0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e78e467176c650e839c5216fee11c102
SHA1 1f4a8c81241bc39b04c65b2bc256ddb11f0cec98
SHA256 57457402007fe8d7d20230e137233a1d8ea5dd091780cf0c93e6a44f4203f3df
SHA512 21823dcecd592afe7d86f1421793e7149ec3538e70b2f5394252ce04cd1fedb424a615fbd38cad839cb2e044acafd4037456832d589543c9b508a923debf9543

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2bad1836e4cc3990c933c3e84c9e725a
SHA1 ddf3d937995fa4c8a588b82c01360fed65958dcc
SHA256 3a0e043dc3d8245f72d5d4115e8d66a6bf5fa1d529ddc6ac0b848cf01c36c413
SHA512 fce3a7d04cb5c4b48584a17ca030cb3e38baf6a9b3ba5a1b67b2d5322bd999c3f44c926bf3e3f4e8095c5d1949b8f306ff013076b1f284ddc887e21fd797927d