hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Analysis

max time kernel
296s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com
95	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	svchost.exe
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3372	msedge.exe
3372	msedge.exe
2276	msedge.exe
2276	msedge.exe
3128	identity_helper.exe
3128	identity_helper.exe
4316	msedge.exe
4316	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe
1792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	svchost.exe
Token: 33	3240	svchost.exe
Token: SeIncBasePriorityPrivilege	3240	svchost.exe
Token: SeDebugPrivilege	872	svchost.exe
Token: 33	872	svchost.exe
Token: SeIncBasePriorityPrivilege	872	svchost.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3492	2276	msedge.exe	83
PID 2276 wrote to memory of 3492	2276	msedge.exe	83
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3344	2276	msedge.exe	84
PID 2276 wrote to memory of 3372	2276	msedge.exe	85
PID 2276 wrote to memory of 3372	2276	msedge.exe	85
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86
PID 2276 wrote to memory of 640	2276	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91f3746f8,0x7ff91f374708,0x7ff91f374718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13813481689132177791,6584934131404078272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Users\Admin\Downloads\Petrwrap\Petrwrap\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Petrwrap\Petrwrap\Ransomware.Petrwrap\svchost.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Users\Admin\Downloads\Petrwrap\Petrwrap\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Downloads\Petrwrap\Petrwrap\Ransomware.Petrwrap\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
240919bc1a926e8f50a3172e3af8c6ed

SHA1
79848e2b754004dbae2cfd6c0f9df672bdb5de7b

SHA256
9dc6bcdccc9dc7bc1c73c047c0c7d5ca344e4f73e54f32cf900bdf14892c7c86

SHA512
22b0a4bb95594bdf39e61d47a73337667e10b98dc7056a544193a65fdfeac2a2704ece683940c4f2c109f69c0ab1e95cef221aeec6f518dde4e772acf192e906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
06f7388070bbcff50f0c11d63209f810

SHA1
ad0431c0869d56ae37bd6d8258669630712f79bb

SHA256
ca33a279a37edfeb35aa58d86c7fe6c28d90157fadb491faa2455df656de96da

SHA512
646bc6cd3a63f7c75e67c17e634c48982835f527057908ae24eeb1768197f0d80e977d6a6f593da84b6271ab32c118e1e02b4b52be5dc8db0fd20a1d74d57830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1f30c6b78de5928984b08e860edab77

SHA1
449876c5690c2945f2988d84760bad0e57c4c0b3

SHA256
9727557c61f0f242fece632b993e7cfe61c93f9d59a20dda0978cd2faed2d005

SHA512
86a0b550ce0515de03bbfd7a7a26028b03770197733fe4eb3ecf442a921d37314940054050c45d4f16934560e4568a9ebf53e7264cbd2da042a4c49817ec28dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f26314600974290bba278f4d162851f9

SHA1
13593485f8c8e7194637cb9b0ee391845e0beffc

SHA256
84eedcb1cfedc078ae044e4ddd026353816e632b8e51f3239e633c2e10ccc024

SHA512
90b962f0f1248064300736e0fcc236523d65f9d6c479221cd85f7a90835d14736617f7095e531fc1c9d5ec1687f642acf43d3c053bf5d08802619849f9315332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d41523b9777aa3f4cf7d42609a72b7

SHA1
6696a8bea2c0f87885f6092a9f533326604d4e7d

SHA256
0c75f0f832d036c78642b8547ee9cacda55072b9c7edf3b8d5a5d1501a105004

SHA512
9e4c680fafc348e9447a4b529557ad86d9ae76fa41c48068670b1be42a4c3936ea13075e297c7a2dee6bbdc37246645f40ab9639f9771ecba304f957984671ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba775f94df7ff9240f7771f0b9736a9a

SHA1
8ba0a5e8a306778688627c18c8dac15b88ed6615

SHA256
024860580e2477b4c0c4e160a3dc92bb2ae30ab735960edeba52178741c076ad

SHA512
075467fdec06bb4499e017c26476a258aee24ca294189089dfb870d022f936affbbf7f46591b151d7d3099335ec2268149dfa94c17d9b0e58e351c20e610dbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a2a607b99578ad5aec569a44b6c71b2

SHA1
0cc68832b53f12c2f1fd55b0abde4bdb2d074b6b

SHA256
711e375ba5ec9b5deb24b33548742ac7ef1ba21692c98d702458fbef7cc3ec7e

SHA512
f9f954e6241ea8e578c64c266eaaae720cf4cd56c0979db581ae87142f04eb82910d55e832983d86907c9b891c399f0bfc7939960d3db6761f4b999eba4cd724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c21b28d1d1671d59fc2359915e6b919

SHA1
e70bd9211b5fb3e779cdec255ffeef6c4814e858

SHA256
1f7e7082632298c53685ff8dd6c06485d3830a90df198323032ae8010a5ac4e5

SHA512
9dade1e7aac6b0fc750d2c32facad11f698423a15f3b0cfc7b4638e90c72d96fcda968a6c92eebe25a1c316b61ab0852fe7e26130cd63316c6c8983c0895ebf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580700.TMP

Filesize
1KB

MD5
97693ef3ee30d9ddf99541ceacf356d5

SHA1
c41971ca4b750ed33a89d6d7c12019d67e76e713

SHA256
979a8245eca9a1552334598524e9954f09c199da3f54c7a014375f09204a55f7

SHA512
6392f86b29a94146ee3a12036dded9f45d791f27e3d167c574aa1591dea2eecce687bf6ec53d821c984ea33c129b25292bb5dff6f23afb0c748debf00a3da3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fef3391008d960925c098bb1be5abeab

SHA1
d7dde4ed238064b111f3d76cec5f9eff66912cd4

SHA256
892a0227ac07d3f94bde394c5f918563d26824b2bbb8794683edb719c5c21d18

SHA512
29070df31842707f9980d9087f5aa2929c4d1f779cfac5d675519fe98510cb6186031f815efd34e05b1c29839e4d9c0b571b00c5c4a738c57828dba0c164dfb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b34d5d540e975ce1ba83fab53febef4

SHA1
0fbd50f850b94ddcadeec90a41316f02d07a22ea

SHA256
d0f0e3fe4e01b6c0c7b79ffb3f157c8f99bfda9701e5842a74e8c68d078b06c4

SHA512
d5129d0c9ab43a64c4ae07ae188a90dd3d0baf17e2d3dcb45b9120b47a48010a1466cec3cb109d991f4827bd2d27b1618ae8efdc51448f5f47b277b9e43d5aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3240-384-0x000000001D4D0000-0x000000001D99E000-memory.dmp

Filesize
4.8MB

Download
memory/3240-385-0x000000001D9A0000-0x000000001DA3C000-memory.dmp

Filesize
624KB

Download
memory/3240-386-0x000000001DA40000-0x000000001DAA2000-memory.dmp

Filesize
392KB

Download
memory/3240-387-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/3240-388-0x000000001E0C0000-0x000000001E112000-memory.dmp

Filesize
328KB

Download