Malware Analysis Report

2024-10-19 07:14

Sample ID 240905-hg428swbre
Target bipecdki.jpg
SHA256 97f3aabf9445d243dccfe0a8e0662d279e2d77f0ad88e75ec44496af748e6eea
Tags
chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97f3aabf9445d243dccfe0a8e0662d279e2d77f0ad88e75ec44496af748e6eea

Threat Level: Known bad

The file bipecdki.jpg was found to be: Known bad.

Malicious Activity Summary

chaos bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Chaos Ransomware

Chaos

UAC bypass

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Downloads MZ/PE file

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

UPX packed file

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Subvert Trust Controls: Mark-of-the-Web Bypass

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies registry key

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Interacts with shadow copies

Kills process with taskkill

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Runs ping.exe

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 06:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 06:43

Reported

2024-09-05 06:49

Platform

win10-20240611-en

Max time kernel

315s

Max time network

321s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bipecdki.jpg

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\439D.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p4zbxycqn.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\439D.tmp\mbr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29LockScreen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2240 wrote to memory of 672 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 316 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 4088 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 672 wrote to memory of 3648 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bipecdki.jpg

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.0.1607850209\2597194" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75a642d8-dae4-49c6-9e01-f58c2255cf2a} 672 "\\.\pipe\gecko-crash-server-pipe.672" 1764 2d8110f7e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.1.1726238662\1558411819" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a55c8fb-3448-4931-8790-d299a0f06720} 672 "\\.\pipe\gecko-crash-server-pipe.672" 2120 2d810c31d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.2.326863792\885556999" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2856 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04d766b4-ce1e-419a-ba99-d14ea228d761} 672 "\\.\pipe\gecko-crash-server-pipe.672" 2872 2d8153dbe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.3.829134861\1247525197" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ca82a31-5272-4616-8347-9ef75db70802} 672 "\\.\pipe\gecko-crash-server-pipe.672" 3516 2d8161ac958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.4.1435449464\423660178" -childID 3 -isForBrowser -prefsHandle 4408 -prefMapHandle 4404 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89556449-6fd0-495a-9e4c-bcd25eec8f2f} 672 "\\.\pipe\gecko-crash-server-pipe.672" 4420 2d817767b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.5.233179894\770496782" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90098c8c-31e5-4055-9691-4bf0fc981da0} 672 "\\.\pipe\gecko-crash-server-pipe.672" 4840 2d814a27358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.6.1554331130\794979183" -childID 5 -isForBrowser -prefsHandle 4716 -prefMapHandle 4684 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6a0d4f0-196a-4c17-aa7d-755029d40323} 672 "\\.\pipe\gecko-crash-server-pipe.672" 5016 2d814a28558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.7.1917875673\1597756180" -childID 6 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8cece66-1aa6-4dab-beb0-0af86ab310a9} 672 "\\.\pipe\gecko-crash-server-pipe.672" 5036 2d816614658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.8.1399240018\1339396237" -childID 7 -isForBrowser -prefsHandle 2716 -prefMapHandle 2708 -prefsLen 26509 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98492cc8-628a-4951-b476-f8077a301d20} 672 "\\.\pipe\gecko-crash-server-pipe.672" 5720 2d8153a0058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.9.1615244863\1155180550" -childID 8 -isForBrowser -prefsHandle 3996 -prefMapHandle 4512 -prefsLen 26949 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce3b1b6-1620-45e1-8cdd-6993846b23f1} 672 "\\.\pipe\gecko-crash-server-pipe.672" 4500 2d81a052158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.10.708781844\1246253455" -parentBuildID 20221007134813 -prefsHandle 5832 -prefMapHandle 1556 -prefsLen 26949 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {378eb49d-074f-4d84-aafd-d79f852e59e7} 672 "\\.\pipe\gecko-crash-server-pipe.672" 4120 2d81a187258 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.11.1892150126\350819897" -childID 9 -isForBrowser -prefsHandle 6388 -prefMapHandle 6412 -prefsLen 26949 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {563b8435-4b6c-4fe7-be15-d86f7cd554b0} 672 "\\.\pipe\gecko-crash-server-pipe.672" 6312 2d81a84b458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.12.972467699\1331257660" -childID 10 -isForBrowser -prefsHandle 10524 -prefMapHandle 10528 -prefsLen 26949 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f52918-39d3-4904-b122-203c45074f8a} 672 "\\.\pipe\gecko-crash-server-pipe.672" 10536 2d81a5c7058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.13.1343061091\586114338" -childID 11 -isForBrowser -prefsHandle 4300 -prefMapHandle 4308 -prefsLen 26949 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8c431e4-268b-43f0-965c-969f032fe9bc} 672 "\\.\pipe\gecko-crash-server-pipe.672" 4284 2d8139fae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="672.14.654586143\1219613940" -childID 12 -isForBrowser -prefsHandle 5296 -prefMapHandle 5284 -prefsLen 26958 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99657824-eaff-4207-9e9d-d231b373aca4} 672 "\\.\pipe\gecko-crash-server-pipe.672" 5248 2d8193ba658 tab

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe

"C:\Users\Admin\Downloads\Covid29 Ransomware\TrojanRansomCovid29.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\439D.tmp\TrojanRansomCovid29.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\439D.tmp\fakeerror.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\439D.tmp\mbr.exe

mbr.exe

C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe

Cov29Cry.exe

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 9

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt

C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29LockScreen.exe

Cov29LockScreen.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:49782 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 213.24.239.44.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
N/A 127.0.0.1:49790 tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
FR 216.58.214.163:443 id.google.com tcp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 id.google.com udp
US 8.8.8.8:53 csp.withgoogle.com udp
FR 142.250.179.81:443 csp.withgoogle.com tcp
US 8.8.8.8:53 csp.withgoogle.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 142.250.201.170:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 142.250.201.170:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 66.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 81.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 170.201.250.142.in-addr.arpa udp
FR 142.250.179.81:443 csp.withgoogle.com udp
FR 216.58.214.163:443 id.google.com udp
FR 142.250.201.170:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
FR 172.217.20.182:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.182:443 i.ytimg.com udp
US 8.8.8.8:53 182.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
FR 216.58.214.78:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 78.214.58.216.in-addr.arpa udp
FR 216.58.214.78:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 142.250.74.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.179.74:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.179.74:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 74.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 230.74.250.142.in-addr.arpa udp
FR 142.250.179.74:443 jnn-pa.googleapis.com udp
FR 142.250.74.230:443 static.doubleclick.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 glb-db52c2cf8be544.github.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\4e235c0f-af89-48ed-b987-40286ee6bf3c

MD5 557cfc2573b676d526c11000a7fc445e
SHA1 b3332eef41cc7e30a597dadebac2a82e96855ff6
SHA256 dc262d7010f02ab4ed17d03af18963277e9c329528faf0b628c54c9a097be528
SHA512 478418cb1e0e34d0b3061e1e5013863d360d6a6aabc3c58d50e8ba3eca4b162006466a69368bc7f818e00d35520fc745542b2ca0c068bbf4aaf06d176860d2a5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\00d5dd9e-6d6d-4c25-b805-a0c5b4886d3e

MD5 701c7aa0b510cd8f09463287a02d17f9
SHA1 0ac394b2fcd8f1375a426ec5344769ab03c0782a
SHA256 482b6a9e2ae7de84bf501dda1e6ad53e4590db12dfa696bb0cca280f8a9c3fce
SHA512 3a686a09c6acdc2a6478d2b18544e3df3035e470331f87f21072cbe2a6bf1ce0c2e238b428b76e0ee85bb0c0e60b6d28e84507b3e612b13661014ff1fb52cc4d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 64334b84ecf577abf47b4874bf2d4450
SHA1 a74a32013b128b0e58ccb7d1bd2521d637b5599f
SHA256 021b47aefd55217e2e0f9ffdc0ca68980c096d12b2df440da30e21762737dee3
SHA512 25e2f54dbf9d4f3dabd8922bd3a7c963deb322cc3561ef6acf5bae736cb451db0d861749c546b9576bc92f429035e39e5c84de6c07182068def8b6df68d96f97

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 851cb82269f00d289553c1447c7b9c58
SHA1 91cdab107b3fe885a1b41d67ce956190470e9a59
SHA256 bf7282998779d72095775f6c1a6a0c1dd3154fe8df9198fccfd8bed7c654ead0
SHA512 5bb6a3c97e2a73af139efe5942e4d3183fc543f683dd41ef760e52af49d1cff5e4c02702d5bf4b24a9733f42d148cf904411b50efa7929a07f84c3354034c466

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 f26fbdb26ed8a120a5f0ee2bbe200223
SHA1 5b938cacbb88d4d631fa766b0fbbf1dd674de46f
SHA256 0fc1b61b2acbc7cfb16908cc24d8720f119b58f97ca6ef049a9571fca23a7be9
SHA512 6c1bf8f9495f5d2eb73f2519bcf604bfa8342cb408122792d41afa2f2658d7c1126d672a6dafe65b523c32dd1ccca9767429451916f0acf604e614e4c2b17dfd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

MD5 bd51bec9a533f0739962e62618860807
SHA1 5587428cecf588af796db6ce39f620255ef39318
SHA256 aac59b88b393b83f4b821ded8b4cb10d5529efe2715e0d35479a96e83633d6f9
SHA512 130891ce83fab7782d281f27c5d6174fd4456c5a7b2c8d64625d602eed9dbc11a5bfcfbfed03aa64140df93b96e9e710731f31e92798aeb3ab3c7f18299b6d53

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

MD5 c460716b62456449360b23cf5663f275
SHA1 06573a83d88286153066bae7062cc9300e567d92
SHA256 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 07b8aa11832d5db3c222dcaa3bf05f55
SHA1 d0fa00a61f79d1096cb3e9c26cad944d62cb8b77
SHA256 e8facd2f90e937aea31dd27073d8228814b0ac159bc991f165609dc94bab0e58
SHA512 f5044a886c962fb925d955c9203a8001214bd869b5af3e29e7497c0789d776c8490a8a75ff70421c49fb663ebc5b7baadfcf4bbb739aecd5dc56423c8744b30d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bbfdfcbbb7f9e71f1b138d581a30b09c
SHA1 b2f8a52037b4a11e994d2caa784a2dc8fed7617d
SHA256 1994850dee9847d0ca551276a4fd4d8d3daead4658f470c082c03f5991bb1cac
SHA512 d2f29deb7b11c3b54eaf6ee94ccb1e6c1681cacd112eee88fb31d3f4797252eb9d325aa419eb8bd978de1f2328ce2e17191f73406d1686e8426a15cbc018dfbd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7dbce8ed4302cf811b78b91564d37711
SHA1 76c5f2e773db89588ddf73220e7b555be60ad867
SHA256 f15c970fc3eb25ba042bb10be50e75119b350c5874dace2c3368b640bbd5b99c
SHA512 c413b0e72098a0aa61db8123a3bedcca53c256701cbac6bf22b0b5c9c2fccf59e8a85e3aa2c9241b2c23b27632386c767eff7d61334a599afc06740e9d9c593f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 4c9f02c799905cf51f6caf77a5c3c5db
SHA1 7e1c9d98fa73f9df3f1cfaed98195c0133f8709d
SHA256 63426a2462b54177f1dbc6a16e6686dbcd9fffb635aed4f258c570e03e60b3b4
SHA512 a30ab319e7ab8577668e07e5d073743b1e7a1f05158c7b15211eba6a55c390447388b8f78a064bef37b93ab15ead6098038ecc4e7ce833dc47840a245a79178b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 0bfe741fc9826430f5a9a3783793437d
SHA1 3082e01262b2ee578e5be7498a5d873821b6a992
SHA256 1145687c64da09ca94d0f6987e76ab70791a5679445ae779bc90e5a3936ce281
SHA512 391de9db3d7ddaf2a63cf921c61aaf742f363bd22f4f0f0aa687adf42519cdb08b6dfafe184ce19de97c0205db682389ab6fc6e8283524733ab15844d0fbf4f4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7bc4139fc981d3c9cd94dc3ed4515d4b
SHA1 2bf5a51112b2b9a53bc120b214e53ff4b892a4aa
SHA256 e41dd54b8926475dcc10ce9ac04f70e3dd66342c18ff39508658bb55cdbadbad
SHA512 18724687df14b2f501a0acbd33200304b219c6a7cf15709ab8355f149a6515fd0b70bee04a8596b95a95b55992207a0229e8873f19c4a6a5b6f0e5e10b6047e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\50CF6F66D02A2113E97AEB57CA53BB652D9A31F1

MD5 2313e7208913550638abf4ae52b29f44
SHA1 aba7b628fdb0fd99a54b9b512a768a8c53eb864d
SHA256 23f67d6f03fe6912c85202ce95aee1a29036c5c5e63b916677eb2be86078bc75
SHA512 ddfa1dda1483a62f5472873665c31e1665afd2d77e50d38ee94ad33fee2c2fd709a4f70f6e6875125476ff1207101cbdfb3780d53e7abd350f3a081a43284faf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 31b5a0b2d01bf58f3baf6b983b1a29aa
SHA1 ae4fbd317c52227e4f23479e7acf71f4e9e56690
SHA256 f7c5fb3f6ee09fadc6461f74d1da8fb0782c08e7de5827dfeffbcd8e0d7f5632
SHA512 cde4bdcc9d61a26b1377dbcae4e39dfd0c301a02b6e6b0bff739fc236c770a094345116ea44acb4d4a390b497e8cbf757584b44c0ec69d65d58f4e89bfbe8d64

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\28621

MD5 b00224dd840ac0f2fa2d3dc6c029c0c6
SHA1 7fd1e9fd391420e902c0a494fa3a98438de2866d
SHA256 cbb874fed66416f5898a49fab3ff7cf74cc5708e4b8f8dce6e2d110e91b1596a
SHA512 a207898ba8aeaf4e7aae7350419b3eacd8e63c7accf5f723940af7e806150d9e587f43a81fd77c6e93d61eb070d696711cd42a2f46eea69e1b48556f831eea63

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\30187

MD5 37f89713f50e851e4be5f91d761e31f9
SHA1 30a1996a5a6c7c6584ca08d0316b24bfd026f887
SHA256 cba2a34388510483dfda9d87c819d9a6a2a9f70a545b2214e1c51993112d1434
SHA512 075d1a75a70f1250a473cfd2d2ea91a7a64f82cc77dfdb09b15fc88067cbdec661923666c5e4470d18d7cd5eb90465176105432aac7ad15005a83751d84bbd61

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\9359

MD5 78149c19e63ac0c2c982fe1e71ed29d6
SHA1 5e7606a0afc6c5dd97c6a445ab719de3561987c1
SHA256 feb3fd9ec03f263ccbc768f129592988645eb8fd91dbc9da7ad1a090ca28fa1b
SHA512 19ec4862f97de235d30948c1d7caaffbe64e4265fae997c89ea78c0128cc294f4ddd8fe808069c492c11157446f7f824d2708db0384cd888cb2f2fb1fb676a33

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\18192

MD5 42ae54f3aefeaf952190a1e6d41a9c87
SHA1 7053779b5579762fdbeefb7db7c45839bf4efd19
SHA256 02980e71c09eaea3bcb2cb0274d63b1cf002c4e6cb58de73d993712f87a17732
SHA512 fb551869f716446daf195c7ec3020acf5e3198f28f616b6d5d6b4cb1136fd00d45462616b49746902d54978ce24e72d6377593f4c3fd547b0407a1a1b27bf405

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\630

MD5 a7b9d4116ff0ec1763253b90c78d1916
SHA1 69d16b5db2c6661ac8a23835eb96ee30a013c0b0
SHA256 b4eebe44baff71ee57a950bf074465f886d819df193cf1a1b8a7ee77afa03ca3
SHA512 0db9b5deaa169d9c61ee65e609e44e12afda9e05871c344c0d6b259f4fdaef0eea2e8d13e3e40f4513817afc99f1487e818c145f742c32dffd01ac24d66379aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b1a160a8523fdd22255cc801b41e7d5d
SHA1 17cd379ddadd73d1e4d0ae06e8349f656d225f90
SHA256 efe7e976c0afef908583330db80e129819013b62ecc7d6e21eaf27a4d4afbf48
SHA512 8a177b13c8ae2b9a1886fe08af73e3c9522a556e320368e55fe49058c3aa77f6d0b86e87528090ffde39c2d9271bacc938f40492def3a3339b4a786d5850f73d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2232182701SeesravbiacteaWDosrgk.sqlite

MD5 706d4b7b63e3e5ea218bc30403bb96ea
SHA1 66b2b4c8c9d7a8bbf7830cfbed88b8c95d82c909
SHA256 1ebc3d2baa22a87f450085ff7bddee68486bbb23a075871e6e8fdba0b71160ef
SHA512 9d1be968bff9112866e03814e78e760a75d66b50b01f0caae77d1e3c60f8369a6e0d11833737e879dc762c54b16aa53cfffa4bff4901131df2b2981e252881f0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 75820a2d329a99911352d699448a4904
SHA1 2909a8771d2a1a0849cfeadd8f91b5c87c3d80ff
SHA256 a9ef65a10f35c31c3bec80e9e4fc1ec9a392be338f90d534513b16ee9170daae
SHA512 8f0b957bb0e120f847c46d726049a9e9f3c9cb9c67b4e3c7cfaa2277a59bff8ed72f9edfa0929ce92878978eb026f60c213b71211c5a76a4bbaedc7f0deb70e1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

MD5 f1851357ab64827364ecbde8ef2d31fa
SHA1 682d9169630160b95e45e738f71602cb0787b52c
SHA256 a652dacfc663856051037870e71eac3dc7470c4fbc5802d8c48900abcc3ea64b
SHA512 0ce5196658aca5a3e01b9c3e149714e15383db67dc1c818275508e16f1bb280ac048fcdcc909fc2f83b116ab61a58256b157a15c7db98ef9b9045b8be84dcec8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

MD5 fa3680152a27d0e742cd34d8b4f49b94
SHA1 e94f0409ce25bc89e575fd78fdc8026b69262e3c
SHA256 9aefc0480c4dd269f4c023b0ee0b7932cfe4f0fc2186ffb668409d2dfd3dfc2a
SHA512 06825436e9308a233db66c5d1de928274bca5b6e2fc030bf47efbc7c635434ac48dd18cec77b3046086a070d48c38d52b310ba40a534322c4679d7196cd0a055

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

MD5 0527592024a44671c9de4ef8a4a9c149
SHA1 74af8db7852ebe7b1b879664956d05bdd7d64189
SHA256 30af46614d76d4188c0ebd1f3f14e83acea14e5f57e22542d51c5c07905478d6
SHA512 9b667a3024a6d1de8f744fbfd091ec91359588412e77b9f00e602735a2578c30041afbed4f187a7926ccfa400be9d016004dadff7b169f74e647f4e76062f954

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\6DA69A746F9687E1FF413119EDE7AAED2F9783B9

MD5 86a041564fe305d4a03d54343a4f059d
SHA1 1ce7b5ae03b84abc3862d62c1f2b11fb668d0e8d
SHA256 4fa8e8bd268435f15595378dd5cd4f9fcd681a4d5d68eeef8d808792957342fa
SHA512 b8bec77eea52219e13f1ffec413ffaf64b28a552b47407920aa68122e302846fb5035dfe971e143d0e270e37a04c8232d6887160fba02764e3bf5e97c14daa16

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E

MD5 cf5f6e521391a0e82bb953ffebb2cf61
SHA1 0d50e61b46e52c6228cb320557ca30b3feb4f745
SHA256 47c085e3d1c3689df927afe8c588df9b672aabfe1fd8adff28684fc842ef47de
SHA512 04d922b4c3a9077318b702635e7f70514c45fd008415adc53956aa55ae4fc8a3ebb096b29afe8a35d9666920524bc6e2f31a113170e10d855fc788f7417f24d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\FF405EA908A0CDBF948198368567C7EC073C7A02

MD5 36f2cb0c00a5d144b1a6da1ad5112e44
SHA1 77c9123d346c562ace6c1a25b6d7e45dd7b256c2
SHA256 eeec188a2eadecc99f8174987513d2190ca3ff3f4fb0b478ccf889e2a1376c9d
SHA512 56070b90bee8bf6f31877994b960b5d63ba57152eb9fc177f8b52ef8000e7f713db9b87affb67e72da14782280cf339702afa73ebe7d07304767cc19b0da131c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

MD5 bef7e40040683575ee938e6381aef8e7
SHA1 32b8a4cfb3aecd51de2fe3a41d6e8fa8ab9864a8
SHA256 f05ba8d24879c015703fee4027f68fed68ec33e307ba9fe7f5659e577afd4ede
SHA512 30a6f5dd1ccb291d30f2a286d7e013a6f3cb0f162e22f989177d708ce046df82cb8d05dab1c2830a0dfd1dc84bd75ecb905914d35114149d0c57a9a473dab96c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

MD5 3427447dd15bb6f2e6ab26b926808306
SHA1 5f512bcce701256a7b71f7802c613d4b0a41370a
SHA256 3edc86a9c055fc1c433ba331f5a390341d0365fd15c78cb998d651b63960a65e
SHA512 9ad20186216601915495f12ddb8b1f7a3cf6604b3d10d5ab631ad2879dd5f88a220f90dddf75e65801b7c77095e56a6b27d636c022d5c56c7259bc748d48ff5b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

MD5 17702e084fb9bba5d993c92bafa78323
SHA1 87a2ec4fa51c51de31f3dfffd37abdd3ee6d8bdb
SHA256 7934c496092ec5250dbb6db9ded0ed0b8d70016c79544f3224d62a17d4cf0ffc
SHA512 3616f1b9db514662d4a392328209c92406623076b7fa633845b2c747ffba7b4e2735ff671640c3a180b68c1a0d20655c5b6fd304c0199e276aa27142bb61b284

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\AD8185C100979BEE2403BB5F3C0072BB1D314C2E

MD5 9210471d79c2a11be4087dfee0bcc99d
SHA1 2d4e8bb97392bdcbadfd69cb4af724b3e2ae29b0
SHA256 1a8514ee1786e35eab737c038329c2a53c0b10bfc02ecee2f9b76090607e82c4
SHA512 982e17578a7bc8ade01e15f5f5a57b20888054bba0c5ba2bec5d15a4ade4e1b3c0fad4a7cc98f027a007f1bc776981362dcba7a2f78c748af19ce35abf45294e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2767492a9d135e043fbffb792dd0522f
SHA1 6d08850650907348f3eb6a09212dc709eddb0e21
SHA256 c6838399d412cbfd579450ae2f31b8002b4617551d7e66e881814f6e1a992c0f
SHA512 ea6f29c146f62866440ceb2a8247b480ff8f5e2726c11ae80eb06f3d89372221274ca9725201b200cf61e1c8b269a13148f2bdeb6a35c13f46eb2e5195904a93

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

MD5 272d3e458250acd2ea839eb24b427ce5
SHA1 fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256 bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512 d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

MD5 ac217f013db1f4940bfacb20d85bdd14
SHA1 f8708a45ac57650fce753186546a6d7284c4f112
SHA256 9e51886d731131d94882140f9875fd4060e685518e0e7c3e23c41654ffb014d7
SHA512 fad487bedccd526e56c2e6e925227d62f849cb69162767e0a03ae91a11adff30ce864cbb1318bb0cc4d7a1009cd49e2f50f68f4fc9277670d5ac54143a7fa689

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

MD5 4e4573d2731bcb040e2d1246d03d4ffe
SHA1 c3eae42ed576a9a9446016b73b40b75a40d5d410
SHA256 d77bc520cc71fafeffbcd9645f94cfff51783691dbbf204cacbbe31582d51079
SHA512 df96589143e8fbe3e38d7243d5ade5c5d4af75192084fb7f102443b34c7190edb72a315aa082ed309dd69bb620f4b1d16b2e6291b717fab5531594f96ffb919a

memory/1084-1103-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\439D.tmp\TrojanRansomCovid29.bat

MD5 57f0432c8e31d4ff4da7962db27ef4e8
SHA1 d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256 b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512 bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

C:\Users\Admin\AppData\Local\Temp\439D.tmp\fakeerror.vbs

MD5 c0437fe3a53e181c5e904f2d13431718
SHA1 44f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256 f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512 a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

C:\Users\Admin\AppData\Local\Temp\439D.tmp\mbr.exe.danger

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29Cry.exe.death

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

memory/4876-1135-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1408-1136-0x0000000000E60000-0x0000000000E80000-memory.dmp

C:\Users\Admin\Desktop\covid29-is-here.txt

MD5 c53dee51c26d1d759667c25918d3ed10
SHA1 da194c2de15b232811ba9d43a46194d9729507f0
SHA256 dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512 da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices.txt

MD5 1db52224e448c2240fa8c7cd861ade8a
SHA1 e60ff74ed527edee22541151c8bb1ebf1c5aa156
SHA256 544065fa022a288855f08e4a03feeb147e11f0106230c574a1b9b858e8cb969f
SHA512 ae1ba4816b4b20f385059351109d6f25d9954b73ce7578d79c09aea5e94daa92215ae5004b1c26ad1b20c3549c6c080d9b8b226d8ee78a16b1cfd92b7527092b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cert9.db

MD5 1e8d8de6bc6976feb2f9ec9d61377f43
SHA1 938e9de85f34f25b4e30416e5ee4fa5721b6ae4b
SHA256 1366d17e339c6ef04501d16217babe513385f17887b7598b33f4d4c76af875ef
SHA512 f84710196a1235cf3b2e90519db8c83c59e55170d5b04d143b0abbd4db36dc0bede028bd5f9f2eb32458db1541d71b899f7c088353251f3e2c164fbf85f38ef1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\xulstore.json

MD5 05e1ddb4298be4c948c3ae839859c3e9
SHA1 ea9195602eeed8d06644026809e07b3ad29335e5
SHA256 1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be
SHA512 3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\targeting.snapshot.json

MD5 fa952892445738220775de6352caf246
SHA1 6ad2d072aaa4c1aad2266afe1eaa25723f480191
SHA256 50daf6975b2a86fcb5fefb61dd75623e412cc2ce79cc20f23dd32ee3ab1ac3ac
SHA512 110f56b9bc79e7c24a8f1bac7aee76fce55851ff6b91a3f6139704b340c3c35768c944c036b5af4bd10e16cccf2c5f7f5839060ebb472a8d7213bc9aa61be007

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\SiteSecurityServiceState.txt

MD5 24805be78861dc1e83115fc032d0db6e
SHA1 a08b563947f326730f4fb0b0d88271875e9493b3
SHA256 b3022ede427d65a354b398190058386965a750bb4267feb1a370a78fdc423bf1
SHA512 a7b95d476515c24f293fa193763a488f356e3017388481c8a41d3c60e6103e13396a643f2709b50cff1ffb1216316d329835f46885a7355cdfe0eef253128e02

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.json

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

MD5 522c5a0b66245c5d3d1d818e7a0faed1
SHA1 84b3441412a462c5ec038db70f1787fa5bf25621
SHA256 7880e7ac81240baaf476ff53f023aa8b8a3010a5caf5041973be69da70bc95bf
SHA512 3ddb3243dadaa21d8fd18af65716d0ded3d708838ed2987678c0cab8f35592aff096417d0bd557b03eb1d08913c2d7060f116fd97be86dcbb9261e8d05ccd6bb

memory/1084-1209-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\439D.tmp\Cov29LockScreen.exe

MD5 f724c6da46dc54e6737db821f9b62d77
SHA1 e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA256 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA512 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

memory/1084-1219-0x0000000000400000-0x00000000005D5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 06:43

Reported

2024-09-05 06:53

Platform

win11-20240802-en

Max time kernel

557s

Max time network

509s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bipecdki.jpg

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Monoxidex64.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Monoxidex86.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{E8FB6A24-FF9F-47AB-B467-53F3CF98BAE7} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe\:Zone.Identifier:$DATA C:\Users\Admin\Downloads\Monoxidex64.exe N/A
File opened for modification C:\Users\Admin\Downloads\InfiniteBlue.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 894898.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 294334.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Monoxidex64.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Monoxidex86.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe\:SmartScreen:$DATA C:\Users\Admin\Downloads\Monoxidex64.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 4652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 6036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2676 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bipecdki.jpg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3bc53cb8,0x7fff3bc53cc8,0x7fff3bc53cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5816 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,7575181326939077778,8279493721149739948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3bc53cb8,0x7fff3bc53cc8,0x7fff3bc53cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1736,9350707952640970131,16732055391953281938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8

C:\Users\Admin\Downloads\Monoxidex64.exe

"C:\Users\Admin\Downloads\Monoxidex64.exe"

C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe

"C:\Users\Admin\AppData\Local\Temp\豇挡宏衿鳾菰员魸亐聽搯乇凔澷緣瀁.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D0

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\eu.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\hu.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\tr.txt

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

"C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

"C:\Program Files\Java\jdk-1.8\bin\javadoc.exe"

C:\Program Files\Java\jdk-1.8\bin\schemagen.exe

"C:\Program Files\Java\jdk-1.8\bin\schemagen.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt

C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe

"C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
GB 92.123.142.43:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.32:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
GB 92.123.142.24:443 th.bing.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
GB 92.123.143.153:443 www.bing.com tcp
GB 92.123.143.153:443 www.bing.com tcp
GB 92.123.143.153:443 www.bing.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9f081a02d8bbd5d800828ed8c769f5d9
SHA1 978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256 a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA512 7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3e681bda746d695b173a54033103efa8
SHA1 ae07be487e65914bb068174b99660fb8deb11a1d
SHA256 fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA512 0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

\??\pipe\LOCAL\crashpad_2676_BFLOUEJYQZZDJKZR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 10c6ad597e7941545e9c43b04b86b571
SHA1 38019e917e22be101853eed2d5e9c904611c27ac
SHA256 f6aa74f01068ad5183891b9e6c7f385949c8ff2f14980c6cd90f5a37a95dd403
SHA512 cb6509b344d884d9e8da8a077608a16defc7401072272a281f0bffb6d60428bbfccd46c6f0cf66ba6ba6a1ecd83fe916b14a6d3827c3eebfaaffaf92e9aae47d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46116f89f7cbef8c47fcd132f24ec624
SHA1 d0f2d3203abf0dc3d4b4e28b7ef045c50a58ee28
SHA256 3cf1fc0491a55f2651b7fddcdece539f647ca10a6886518403eb3dcbb7318393
SHA512 7c533de0688422908257c56babc87730ba115f05b444146e899427f524d3f6a3d4d50f11f3b879e1329f36426c2c80a0a2407d43316c566dacff85b467fcef9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 85d46d60cd9b7905ca53d277dff9e5a2
SHA1 e757290d3d2d96b9f2aa53756dc706af769cdb84
SHA256 dc90c14850b6f8bc3d7d613fcc94c7b90f15c533a456dab67f93b8bc95be4215
SHA512 bd9bf8772ae2712f969d0bb285a3ae4748d63614a834f87d9049b131eecef3079568ff76c25ccb8b74fcd86512adde061835eba6d20dc0b0ff8f3609b17f9b30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fbaff720f9ec3439f5d6b911de1215f2
SHA1 405be51b773492a2967dc046377e75fee482d0c7
SHA256 8651aaabf5af117d3169fc0f3da213622679fc7975e240a65c7f58ba87f306cc
SHA512 adac0b21e38870dd54c8f1741a668bce371aa8c8b46df7388ef223dc59233ff21dbf6d461de857fbb86150d1550f2249442803cbe873c5ece27d4f06c06a797d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4a50f7c4f10b5a459039387736190d7e
SHA1 a4d541a87659b86d45c7a971ffa464e7db065b51
SHA256 e4d78ee4ef2db354304973e7aa1d48ebf2fe65503209d188b5dd1e694187642a
SHA512 5af7ad1490a3d4d8fcf3deec84311db28662f5e6593231ca8b1f470dcb70aa0c023983faeecba72feb2f145412ec25bd4706415924f294de3a3d9618bef208a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d2667.TMP

MD5 15ed03025f5fdbdd59a689a893461dec
SHA1 b00b4d3c5d8818afaef7a33f53b37242dc91bd97
SHA256 fd8bf2c11849d93448db953692014343aa009f5937c3f1028dc50b1a9e91d0a6
SHA512 aaf6e1ac0ba42f279407201754b026c1b70fbf461a12a6cf6c9019291c427b96b1020a76b7d1a1cb8cf0e095396b6b93a3874ffd968bd9921657452ae0dfe11b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3f9c55354cf6c7cff24b4e13f077ff12
SHA1 085c9d018345d1ecd801e0077ab9daf10cab89b2
SHA256 cd68ac1527e4c92b466d9d94bbe63658b115812deebba23c1d9e319f81cf8173
SHA512 cd7ce8fce80ca623a1fafb388f771604553b22c2c1fba4b2d0444c55cd388a3ec3a1582e7593945180b658567ec241607a68fe724e5081cf35900c1fbf11e680

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8e2a3753d7bea337ab6663dabdf867dd
SHA1 9f603336b037bf911df5ae6add99f15f1498a3dc
SHA256 cf72ec6708d94e3fbc824ea06b79930f146ce66a57481e94f64ae30d84523500
SHA512 06b44fa5cb4808f0a8d0f91bd266484a0cb9bd361154aa65c4160aafbef2b055a76b1ed723457fd49b9f6164a2f587278904ec4441558492246e6d606891dae1

C:\Users\Admin\Downloads\InfiniteBlue.zip

MD5 44f96c30da479f82e49dbe1be3d49630
SHA1 67d245964b6fa95b375369ea16c93c9cee119c44
SHA256 73f2ebf3009fb5ff0a1e5eb4c563ca586f0462223950b926c475b24fbcd9d068
SHA512 710feae4e47d2bfe67c065e72196e8636a0a354195722190abe787522538c93362e85e82bf7d5a1585c97fd79226db0bd7e45a62c71774946d64c41bc58d33c6

C:\Users\Admin\Downloads\InfiniteBlue.zip:Zone.Identifier

MD5 0f98a5550abe0fb880568b1480c96a1c
SHA1 d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA256 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512 dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0da64c478afc169dfd029f3469a4e596
SHA1 f12fb48381a05af57ac042ccece7493b63392125
SHA256 9ed0de0ee1a6048fc0794d4d42b128fcd96700fa4a0dbaf6f10cfd2fb7939dde
SHA512 2fbebb2bde8dd23d158eca6fe94053d5a690e742d9f76e9d3590abe59d9a0039e3ed224295aea88722094d798eb4dd4ad33db41316ec2ec9119368f947531f74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 47ce0a42f1a6f087fd2886aeaea86a17
SHA1 02d2224c61cc3b0e04aed7514d08fa335b64c1e9
SHA256 ac3548e258cd82b2e4ca8ff7bec4d57c0e5e3039260674731f92983bf9e6a725
SHA512 9f125ff9fd249ab4c131c38e40346f7523e35d00ce773504bee9ae92eb424bdafb2878a321d141f8acff70c9e6f087f6462e36e231f322dc505a3420c01bb3e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 31d96caa8f62d03a0fd26aceeec25f4f
SHA1 163ab82123009b443215fbfccee71d480ad46ba8
SHA256 64b9ab02586c6b0f24dd6c6688214d0b40b7b8e028670a86270570f5ea1f13ec
SHA512 f9fd6fa2a471e83751db5ef5d1d2f4f43fce26df462a54bb9860b292442efadd74d5da029a26f4ef670f182d67bf9ceb161f411bd8b21443d4ffd3797dc46487

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a41be70ce9a0d47f6dee426d65061644
SHA1 5e1437e2ec5c2d881342d7a228333a32917c6921
SHA256 6cbde181f4ef5e6299511effc739cd1fbb718035cd8767dff5f36e1563c42081
SHA512 cc7bee2cfa4d481003391cb87be550099e7c15937c2240e33a14ef23f3684508c95e7c9aa0d01b5da6326b48debdfd34acd7bd4e937fc70a096261cc16248c60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 190639a07fc2b3b9bbbe1d99d802095b
SHA1 e5381dcfaecf9880a6d3cf243df5ee30dc48b876
SHA256 0a2b09d805e806facd19c80bd0a5e82e368a2cbfa3502c4e901978e1f3398e6e
SHA512 f7166bb61df9b22a3397b7ad9f14e5c40c1f3577559804926f2b86f743c7748dcf65f999e1792b06bb182a8abb30eb05a95a96eb571dfd4c5a509c457e81a1b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369992559515788

MD5 5bb80442778fa24fc1a9505918c4a4c7
SHA1 d37587cef88ddfbeb88139474c4c71d7b5b541ce
SHA256 94f36ca80f387036d1c4de3ff81961d8d85df7da07b7a8541c772c522c4b41ab
SHA512 3109f362744f78d1f397b5e463f76bf83770c781610b9e3473c785fbb410b3f67071e0f307930e1c325c28898745ea4a062a8c1aaf34abe950f4a0d7f813ddf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

MD5 5045870588fbd8313840f840283136fe
SHA1 599b6d0292577ffc3a0faebb97154325abb25756
SHA256 95b92fd5c21540a19ad9f6211a5ccd5c9c2275d84e25bc7835ff8456842b0a48
SHA512 3fac6606ba52d0de2f6a60d7124f046cfb9dad3fc274439dff6956433cc73934c429921273351d88ce3e236939b5b487a97b080030d50c1a2a2eefadb8b1a148

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 d6c8ae151d7e6a3a4b3f4605fd1919e4
SHA1 3ef6a4290331a9d037f9be3e76d293085ebee37d
SHA256 0dea3f81bfb9d0819946ee35b998d0c35a30199343c0d6b3908a47d65effd501
SHA512 f7c436af6812ed28c37a50ba1815045e552232ff5cf9d98262a80f9eef36b43f005a19f4478b68358c763681ef4d2143b872f2bd9ca0b01330afab66a70e7f63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 f0cfa635f9444e57118ac088a4025350
SHA1 4e4110b8438650f1a0b3ecaa82bce23ff2cb49e2
SHA256 bddc9d7ab6642b383492a163923f70d65ce72866c68f51311baef0ded4e6d7c6
SHA512 e52dc4a778e8e0ea8f168bdebcabfe655c5b453ce3721cde0b2546f5174561229078c3f429998e012a75312c1903fa6ee945ab6281d60f369caa29b8b75bfb18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 04302edff6c427b2b65e709294a4132a
SHA1 9352297e1151415ce0548cd58d278cb931dab451
SHA256 699ee7e954822537ce5421bf221bc169b8556759232b72a3873e4baf5861bb99
SHA512 085fa131826d5c62f03849d7d9cd73e37b84583285d973aff0799b904cf89460e34189fa80cc3356de9f26f0d90363ebf48a51ad25705efff8a514049971de68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 89c004d80535e8b00d4169ca01993442
SHA1 03791d7f47b4a8873841b06be6c15e5c700584e1
SHA256 c5ad6d26b0d5020fce68eeea6dfb679b34d23b6914c4abedd4ae8d4efb6da47e
SHA512 fa959cbcaf5096a70ac216fa6901bec48629c0d1a14359b904a3de0738fc4412024a48e6af2d54462e13b29e8da9b75a864578ac6f5f3248859f2841121368ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 aab7ab0d52ecb04a5fd98d5b85474c9c
SHA1 fe33fd4a77f9c76427b12c9c34e8fd3cac32996d
SHA256 3e9e936f48d4583013037b32ef524b4d8d11ec4d83a932d9ddacbd779ece1687
SHA512 582f73c091ec5bbbbebaa3dd0303f930d149d3cc6ee98f050bdc6d49a21571a78d911e7b5f2a0b6b8a0f476819d7e3f015a5d6ba50ef3e49629aa6cad32350ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 6d263a7156ff5c04f27f8656b6e9c09f
SHA1 18b970ece0054d5b315f3c06f5095db6989ac8df
SHA256 4723d7a557ca313bbc8bd7be6dbcd633ab1396990a662e3b878a085996396ea1
SHA512 f88ccec24b74692317beae1ab1e6178a9357405357adfb5a274dbab8a843fd0d9cf9e860b7943bfd2ac1a24e543b046ba9a3bd7886ab79f8fb2d34aa9b777338

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 b934f7d8cf2c86c49a644c221a53c661
SHA1 7311ae570d4ba9e4f97142bb38893f111b9a1cd6
SHA256 699fcf8b540eb141c6e77a9b5033681f28b36820e1481439031ff7e79da2ae4c
SHA512 bfd105e4a527b4d33074010d00605905c69979d5ca4a745db78eb085421622a99a847222427e80e7fbcc4741fc61f4c5056787a0a25574f49bb369157a5b5907

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 16a759878ba9205a87ef515f58c0770c
SHA1 6e44328de7125dc5957a12ffac4544080738b592
SHA256 158da603e61c1c36e03712a6adfd54cfda240211eff319c7caf64857c6740aa4
SHA512 564edc53d90fb5eaa4d765c9bf85d03a0ff87a4fefc5b33551b12cba94b61bc6c2056959a2f11c4637b8413ed29eb4fb7037d020d4ab57b0961b3ec7cd553d45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 0cccee444f2fa026466e9e042d4d424e
SHA1 2a159a22b7e2b0cbb5095f531a5c2d1fa6c23525
SHA256 2d28d3a06c646c5826090d1b1b01aba13b43fc60dad98369e310b6be1b7baf7c
SHA512 1816782b4d602ff8bc5e665e377a6e1f516adee662ee8387f07b4ded38072ec6c22a11798186b11c0ad42b0ae46ead225700ef35254c62633264409d30c99a8f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 081b60a3dea83423677d92e4a815db49
SHA1 b156996c67c56cbe1fee86bbaa19412acd2aa0c9
SHA256 69bb5480e3fbe84a8566c5ddf23194b310efa7f438db0b4f2c1bb3cc3ba42d8b
SHA512 8e1afd1bb43442bff72dfa17e2bf0ba7f821f572a780b15707490ed7a837536e056f131895c7ad59ae83c23f1f159787436b2cc0ecbabd9d4d8d037f14672df0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 faa5138f07e111d4df2f55b7dace4326
SHA1 77323a6584d78d700292b229ed08bdecc45d7e4f
SHA256 0333e96703a292278a231f4129420e84b628b58b05ef3da999ff6ea59af5a909
SHA512 ad1e4c04c40a41314e03f9980ef2006482bd6611b5f88296b5c942fe7949dff5a7d1b53c88c317e3318f09b3227d06e76e12f1821a261f0ab81e2b7c3b3e32c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 580ed15f1451bf02e813a8084a54a910
SHA1 047d566cc4224749c7e20aabd95776a5687c1d45
SHA256 a37952dce05db35dde6f7e6877951221a1bf54dd3e733a7b0d9566ed2b238d46
SHA512 f88c6cdb5afbfc668b649d5ec561563fe5c2793a45381da821da4488920ea2499b5e6ee2b81e5fe86d51f56a58b7c8493cee94248bf23a0817713dee3fffc9bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de58b9823a5dc39b8c1b1f510a629c3e
SHA1 9497da0dd6a2b47d2932816f13d8fc8e1d6174e6
SHA256 fb50df4556fba8f7d0b21dc4f0240e1a150ca64bc3f37f85ec59f493d2868fe3
SHA512 9bc5a8e79a8836f03465bdae90153502672a65c357ca159d76a97ba9ff6c35e6ae180b07eab27472f6eb080abf46881ed2212fd1eada4e6c3e434d8ecf3d29a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 9adafd58a006c01ed6da6814e13d83f7
SHA1 eaee90fb238dc4568c28c390112b18b23ff8b1ab
SHA256 1ab7b4c7575a04c33c048215d352ab69db5bb8ca07064fde956c0cb0966b8eff
SHA512 19ce9a1fc3b8a6124974d811c748e5cf4c9926c13891cf9d9c83cb7602aae4f2188a48884367e1310690b10574618fe6615ef152e919a7615a47bbaef2b224c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

MD5 fb86d394a638d40da2278221a4a9ed33
SHA1 fe9e3bedc5b5f7e639b30f2bf995db5b15e5f27a
SHA256 c3f6a1b4467e7856823258e0497f80b34774b7bd72a7e8dc9aa6487296037906
SHA512 321a236ba075fef5cf5426c07db858b0dc478130e15e4fbe319ac7220bb67fd2a9484c537344f79f11e2f1e01f57ac71248cd431e0061e852f472be9992f861c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

MD5 029326b3deeff1ddfd96e5ea29e2bb16
SHA1 d957a07a7e50497b70c6acedfc79653a64e259f1
SHA256 ca38b0af5467acc30e7ecb3d4fd5351fba0e8d02366e612bd361c57a2414b2b2
SHA512 f70df4742dfaa372c7cbb959157fe7b227e794ab1ed3ac4a8d25bc3a2b8f8348554fe2fbca56be85de27af06945571d6a486f4190954d912fc4ba5992f6d91d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 9f5e6fc45e989005a6c4da2a37598bab
SHA1 791def94adcf3ef90c61eb9199dc2410a357df27
SHA256 d4e8e3e15fb7fdc6a74c13215b503854985e5ffa139b217ca2102cc259da375a
SHA512 89f7cedf31f7700f7e00288aeb01c2a78f24750ca78344731c5ea57a497279867415028b41b8313909c92be02f2f3330b2c7ecc8974a599ef5195358973f9a2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

MD5 fb9a772830112c62a2c47ec9657aa433
SHA1 a4fad3a77fb2ac5c7ad0a84e48abfaa56bcd3789
SHA256 dec8a5020e30c4a096b263a8a14c2e6125163a2fbb5c3ca1323282d481bbd169
SHA512 4c3a15f11593065206e0e5fff3efd91e5be84bf5ab5e2e0b234a7a7b74c9954528fda2ae2e8034c63daef53919d8b8464ef8573bdc021081013d1bab349523d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

MD5 2a029687e73114ebcb4fad10c0114e8a
SHA1 f09cbbed46b9f8c731568bdcee13024e89bda397
SHA256 fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b
SHA512 211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 ecd19afe4acbfbde24b188e35b096c64
SHA1 a755f325944e777891716c89b6613c41b5bbe490
SHA256 7f7bfa0a3f434df604523b80194ea15140c90530ab3fdecb9e1e746133cfd136
SHA512 732e0c6278ab45509982b853645febb5f8d7ad1f7d477775cfe2488152bb79fca7ac1677e75426e78d539d1e7ac12507ee2138651d82a86e78b9fd1e4e5aba3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 4ad3582daab2154d8e2ded5d513d4f5a
SHA1 41f7b1e8bfbbb292d9065597c8a8bd47a59eeb58
SHA256 b5e2b316866da59d8e9e80c8d087892ed3657a7475263aa4653184ee3c106aa2
SHA512 cab8d7d84954e92e46b54f031d3f929177c725f3c60691dfc0848ac0157e2bec91711d2ce84a6ecfe5bd569230ea76e32b0756aae922a2a5f05cf926448fda6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 61d5cf6978e46aa877fa6e49ee8bad2a
SHA1 d017c5e36d77a56563a2134ef48bac579ddbbbcf
SHA256 aac1c309ed163746ea9918586e9e54b3bd952d8ee522481d31a2829e41668b94
SHA512 4ad98619e6e7a16d9dcf7906ffc0550470b5a72154f911090baa52392488d4d1167a94a948b9e8568dbff63a8fce1510eac71904619c181153305762283203a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 2fb138e8d15d78c7eaa04adca0d4bcc0
SHA1 35c18cccb65352268c7c1722f06aef3d0f439dcc
SHA256 b30e50b02eea2adcf670d6b903fd82d2f9ec66a5625116f5dba840169884c743
SHA512 c8d390711773caf2dba752ee470c97ae2b6375cdda89c8a0e2182465b0eee6e232d09f9b3d1fe3c084d9acb788b50b738f37f35098f1ec2a6b030dc7ad325e46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 ac12bb8f9405fa0a622ddfa5015641f1
SHA1 9516cdd43b1e668d7e2b8d54db76a2cacdca42c4
SHA256 a8feaff6711af87bd6d879d1b6869d8739e7c91d898986f7cd0b705bb7440e7f
SHA512 2d7be30f9147d26a4fa2bc0576a4fddf834d1ec145a21bea7d3a6c22e698030086a466d481f4eb4dca93df653984c0cf977bd3e2b5bf89929d1c067e4be984de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 94fabc19c1a969b9362b71a59f438eb7
SHA1 eceec8e0f09583d930d85d400bb6f60daa72bafb
SHA256 bdeb1292ade810eba40543a39ea3e9c58d61b516e81a549c9b395e8a70b4da59
SHA512 ab23755853edbf9d5ddafdea9060db658168d1013d83b30c6200144d29169b3edbf2c87c19aaf5088bdd97c60e509b9e6d1bcf19482a93a094af054e12d95bd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 61078ad19204b73a087f639cdb0e0e1f
SHA1 ba2f98ed13615c7fbd2fe22f9e04203ba4131be5
SHA256 967ef772e3ff78a2d938c01e20069b87a49957a3803b65fee88fb6487c55f34e
SHA512 330bbdb19d66860a3b9ee0b992c0f205f19011f2c7c02d90af148b845897c295f790ec99b06aea3463f0737830cd9051f8054b04146c14566e710d4b34c1e9e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 308487d4379d70f842d33d18688e132f
SHA1 0abb9ea4168584652cbcf3dc488fcdcbc5ae9d90
SHA256 c30be528b935e5e9459252ba331ac699b16ed5e78c59f8903a6fe70910d6d638
SHA512 ce201a8b0b9201f951d05fdc1e5f75d74976f23f2300d3b2fcf17d8a957169979774f8918fd40fade61cf869bb5aaa3d857d8f2709d3de9d2dfe98e8c7c5e42c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 04b069f046c17e96375ae23bed328a81
SHA1 b8a2a4d5c2d75aabd20beae8cedd62c6f821881c
SHA256 701a9fcb37f7d8317bed7718166dd82ce1f62aaeb5e9c61d6a0c20e37b676db1
SHA512 346bf024c877469da0832a1b175d0c98d47dae13bc8d5016526cdb7a676c883185aa77cd4feea52a140c765844088b52407a61418a34cafadf02fd51c452911b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 e66c980d82d560702b1f09b6fc2380d7
SHA1 30250f5c271bd071f664c9232a1711d1b0cfebe3
SHA256 a4229c0bf769006d8b401a0b368bcf08fd8c01dcf27a7d3208b4f3282d1ca367
SHA512 c4d2c9e038b1550a1367fe8d621c4ba7ea142ebd2e2796c494f5fc244fde2af42472f3223578b95ec21491d42d2ad47160b96df3aa2616fcdfc1174573cac5ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 8b0f002ccd6424bf2c39a17442566bd0
SHA1 9d18dab225549548a0f666415ab48aaf397539b4
SHA256 238595c8c6cadd105523a5af0e9a1adbccfef0c01d12d896033c5da530e9ec34
SHA512 63a8ebb1fe6df48127d8f040802c586e5f87fb9c722d4d7dc9253f30cb8f9f8c2114311ea7ff983eda642dbf5e9a4392494fea7ad65e0ab1482db4aa17fe7466

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 b29bcf9cd0e55f93000b4bb265a9810b
SHA1 e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256 f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512 e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e86d4f618bd281a137a67084734a69c7
SHA1 984ceca61df910393801e760b4bb4e5908cc9fc2
SHA256 20b0a7c934d9282316696f7bf4e85972a2a9158d77b35325fdb727b1f9487bab
SHA512 4fc71d22384cce0ae37dffc6b0b235a6f2838bc9e986411136fb113fee2569e74ec73629e79d4cbafad2829ff0b3347ae26256a97860dec558c93aa26ae987e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a6c271183ffef62153b0539c469ceaed
SHA1 4ce096d312c54e05f7dca887135c93872294dd2f
SHA256 c00b91ab8592d2ff2ed6fa8aa358374d34bc87819de8600c02a9a6ac28eac3a5
SHA512 2c4458a818abe91322ab21288ab9fb90c2922dc38f31aa26c44e90703b4fb400666bc00bd2e33dd16b9d94dbaa351f33fe060c3a26e265cf2a21722f28cb2176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a13b3e0c31e17f92135028b70a1d4967
SHA1 5d2756901fb7b0369832f48de68f8e0a8929757e
SHA256 58c0a35f8e5bc4bdfa08b16e98ddab9c39056fb11c1d0613e236f17aecfd509c
SHA512 85afd11272e925cbc107a1a0aeea485330ee3027198e9fccecbabdb58e58baedb31302c71a16f5bfb8adde3fecc1a7bcb2d66626ca1ecf1120d1fb4a4edef1cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f31fef984d7504dbf4e7bfc6a67b7809
SHA1 982d0f73a8a13389e735906a95d8e3f3da6ac2a7
SHA256 5ec3160c64e5ed94143c9384359aceefd06c453adb9c9ae6d18c22da5b3c0abf
SHA512 98691e21188d25a8d8ca427a13c085c477480d540000b53d972977b191fe82b85ba39d1e7c1b7af5d2120514d0a6d1d6c72376a669f599dda3fb8f6147d38699

C:\Users\Admin\Downloads\Unconfirmed 894898.crdownload

MD5 692361071bbbb3e9243d09dc190fedea
SHA1 04894c41500859ea3617b0780f1cc2ba82a40daf
SHA256 ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe
SHA512 cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f62cfd608ebccd5790034bb906eeb447
SHA1 8ddd01d5b9d150dbb4b372474df79f902de694a5
SHA256 c73589133ffa0dc8b35dcfcbc96c43f517c1a7f30e950c9f75d4a781a305f931
SHA512 92d8e12a4391bedcab000991273c13ef77dd94717ae7dbc86935081b4d5d71b2b2f7dab00c7943c645842322e60f64724d069c533e63fbb9aee8ea7f003b981c

C:\Users\Admin\Downloads\Unconfirmed 294334.crdownload

MD5 5c378b11848ac59704c2000b4e711c30
SHA1 6a46c53fd89b1f66d3fdab7653181e8a3e56d418
SHA256 bd764fe2f9734d5ac56933ce68df0a175bfa98dc0266ae3cd3a5c963267ea77e
SHA512 c6fe33ff3825e9018abea99ea49dc5221f2abd96bd1099def898425b82c05f9b9ca1aacaba0b7ffb7d09a7d097eae9937abdc13bbf3e7643e24e37edc7841c48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a0d7b8d54cc822767e4fab01824b3491
SHA1 fa0f279b8bb075129da1d384832a6a0888d98d1b
SHA256 9b6989927213a2ddd0a58686305026567439cfe7a438fb8032abdceaa0364490
SHA512 6b00b3a334c8d8f012989753bd6e2792e9859638876d1519d8ffa24d295a1bf0c738927a9b8c9a50389babf4246dfadf86b018e6f390f60e3d14cc2d10c83546

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ee4d0f97915943edfe89fbf67d234c9c
SHA1 285ba0a20bce2c1c7cc24b545add8720bfa86ada
SHA256 ee6d821c32a8fe63c9dc8e324c7fcaae45eb82ca4fcb828bd0fe3d1a1937ecb4
SHA512 7cea0485699cab8182b29efc8e2e8a583eb4cac1968f8ec5476a84bc7f1518f97d70affe31362d2b9885c42d53bd0bdab42fbeffb1f10ad28985078d33257b05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dd73aa94941f952096bc4bde8ba82f30
SHA1 086f33238a92647cb33f10168bceee1e77415d7c
SHA256 5d22ed6e44c748e188cb0c50081bab01643bf0c27125ea15255dd76406918ea4
SHA512 c55123af69f50b7fcdfee7a8abbea8b2a371364b8be76a7f688084df829e8e3263050f345eea46aa47c84d9ef9ab0698fd508f825d48572a4b7b28ca5ef42695

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8ea50439ec013122d7a4a6d981947b01
SHA1 6edd7d9b2eaf4f948a9fd5c2fe30229471929e65
SHA256 f7a385a8fcd47ce98aa8dbfe9521bc39ebd9ba0acc5a2706942b8dc211e89f7c
SHA512 c9bb062c35db01c86e296efe493275ba67eedacc27f7f3c5c26ad930c45b92c6e4e216e60136845379f8ece5d6f6e24c566c700eb07652b0df06d2e68e34ffaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8ff98f577ef4be0dd0faa9e03293485c
SHA1 106633752b9eecef03c5fdd328cbf82a710d802a
SHA256 4d00cb6aed79839d40fc9d575992409efa8426e191ee3d70126c8341b74b7df2
SHA512 910eea30bbded188a753f39a4558f1c67e7b8fc54464ad38d9b94f8d7c58acdd8dc0180d31787976cfc1f5cac601d8abe965f456d037df66a05b34fe5ea03fd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 cfaf0ba1bae1476f36de9fb9adb73a26
SHA1 4f3cf3a0f7c57fc4a22a64d144535dc36ce8d925
SHA256 6a5d84353db16244df29f4a218a285fa8b2a2d0cd6bccb21fe2b9e8ce3be1f93
SHA512 0ddc3415907ae806f3f6c50de78145c0addd66fc5c778e89bafe097921cffb156dc4f706c88724c28a62365124b82c8628c3720a5c3ec46388481375bef22aaf