f459f7494cc498deccb42f8bdfa371ee6e63f354c077f8523391a410af22bd5c

Resubmissions

16-09-2024 13:30

240916-qrrtnazfnl 10

Analysis

max time kernel
845s
max time network
846s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 13:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

readme.txt
Size

484B
MD5

e803ce746bd34ffb322ab688285427a5
SHA1

a3a6f86ce7b1900adb9ffee26f5826fc765108a0
SHA256

af0c27edecb21fd8cd012f8b4571a91bd9011025d909b0b14975b87e3f078cc4
SHA512

9e463ec20063b26653abf2a5d1b2a0ce5caa0c64e8317a5515070613221121399b51ae4a80700c497dbddf39a17a208aa6e7539561ce99b73e24fc55ba8f066c

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
92	camo.githubusercontent.com
93	camo.githubusercontent.com
125	raw.githubusercontent.com
126	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\1389083021.pri	LogonUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{7F66CF95-9DF8-4783-9B73-13F5DB380977}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4340	NOTEPAD.EXE
3416	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3132	msedge.exe
3132	msedge.exe
3720	msedge.exe
3720	msedge.exe
3200	identity_helper.exe
3200	identity_helper.exe
772	msedge.exe
772	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
184	msedge.exe
184	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3448	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
3448	OpenWith.exe
2996	LogonUI.exe
2996	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2220	3720	msedge.exe	96
PID 3720 wrote to memory of 2220	3720	msedge.exe	96
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 4384	3720	msedge.exe	97
PID 3720 wrote to memory of 3132	3720	msedge.exe	98
PID 3720 wrote to memory of 3132	3720	msedge.exe	98
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99
PID 3720 wrote to memory of 716	3720	msedge.exe	99

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff515b46f8,0x7fff515b4708,0x7fff515b4718
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1324 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3132 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12428873289744403967,11309873764269865958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3448
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ctypes.py
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396c855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
58756d99d2376dcfbede6057dd25a745

SHA1
76f81b96664cd8863210bb03cc75012eaae96320

SHA256
f5d0da7b010b28a7fe2c314724a966c44068a8c8fa7e9a495e1284aa501067fa

SHA512
476e35c3da0cf223e773c2d26403c12f8c8d034273cca9e3c4cba9359f8506159c2a5267793c8bd9982b636191ddda62e9119593f5599053894c7027a58acc10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
7b60700a2555e543f061d037779e683d

SHA1
561bd2f1bc631fcfedecacbcfb0c35676a7a6336

SHA256
90ba4be6d2a6af6686dd5820f8931e5fd1edfffc898acced30dcf8f06eb13ab1

SHA512
cef7e69ff483f2ae39223c95ae6060bc4c8419366131a68740646737edb5bfb617058f8f6a4ff76dc009d6440214bb83141c3a3d5e52f6662d7225360804184e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
37KB

MD5
33bdc9d333dc6b1e3dad3b166ea3a567

SHA1
30a38602e99bdc5c6a795f2ad5d54fec0458ddb3

SHA256
24cf7e133c705d3350bfe954c4e325b2de97fd4889de600f90cf06c8c3d02a4d

SHA512
5a7095db8e8733f71656871ef8109255049bfbff78c6beb030fb0c0a167a289dc29671f28a879b5e1ffd84418b29b15a59f5a264de6da8da08b02062fa3f1e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
37KB

MD5
7193ca6b3f27e8d5ea7ce2347cc33198

SHA1
38a55d68668a6324c2f014755bba48fab389d827

SHA256
5eb61d382fb6a3f14be5213c0df50eca6f361fc0fd33b40058eea631fb5beb78

SHA512
a0b9231558db8396247ae3aa449e9722ac32d5bfd4930bb07e66497eb2faebf49c6abab0ddb0b68fac1ba103bbd75e120e6fed5b09e449731c0efbdb24831ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
22KB

MD5
310332c9fcd187f4b4c3bc6198bc53c8

SHA1
e38fa66f3a0fee61cbe37eb7452c259321414159

SHA256
119ce23f0655325e876bca70a319f7345b6c53939e2e62f54335bd1218517976

SHA512
eaba5340162f1860db8be620274cda010b72050c5054075b92fdb0b73441349aa9f6c2a1c498d7e87bcdc8f42ddc5a2e965221bebe4063b9b16c40ce52341478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
90e6e6fd2c48688e2401746dbf670212

SHA1
425fdeb5a472b8274c0caedfea9c171784974723

SHA256
e412aa5ae821aa5ca3dc88f980f4eda592ee959e84eb8de3b0da2c5b7a6ab6c6

SHA512
62d3894ba560dbe7df8fb6e42ea6dc3967a48fcd45126ded1f437f6d5f5a1d5ea3eceaed085f89ad18440832eccf0e14f2194e79f82870fae24f8bf4c85da0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
082676cde2291a1b26ae0f0255274026

SHA1
a67c1d6d0d4380dad2b9cd17f6ccca6da96a2705

SHA256
2080bd1d8321217a7b4b790dfd88d6d17112b3638fd9a1355b0d30e06b1c1d2d

SHA512
3bfcce3354733f10c6218141fff91e50831e99a0e20e440336b087a5509d99ba8eed9ad633d23fdac22250203989276cee051faa966b24f8c1f70c8707d64c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
76e37b3f20cbfaff2bc31b9e916c89a8

SHA1
2628e88f64529cebdd7463fb7f23c646c0bdd65b

SHA256
cc7caf5cd1ffee0e7da7deff25c62b444f3aa3ff883032d873b3ede1a86da094

SHA512
0f00844973d08a1f6312ea9657226cd45890dcf75753a3a9209cdfa8d05d53bf6013910cdfd4b7ffd167fb2c93c9e4600ea157476766a4dfca886c2d1c6901ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
eb6bf020750d05c24a091e7a309358c8

SHA1
4d42049a8c484e45e75c36e433cadb1c9e7ae7df

SHA256
cdcaa65cd3c51254ae2c73949e63f8b72723c93e3337ac66eaaf2f800b91dd08

SHA512
c7e66490efd611b90ad36360799b8b01db67e1b3df293aa0258883f7de827b1ec07c218666d222a69ce754a64e4c434d552e9f04407bb5ad9ad9731e0c5483c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
850B

MD5
7d8e5d90b9c417609c7767c7100cfcf1

SHA1
775642dc5d023784af15dc7cf708e07892ad05e6

SHA256
f5115ede11940b5a63c7ff8205c5bd88cdec9a1b41daf270fbf530d20e935158

SHA512
0adc7a1799321866fbf73fc5251965c7b213012f58615f2f2633e7888747e1992dd034723aa7793e9dcd5887410664c6edbb1c18c503cffe24422a99b668b573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b533ff6df17fcc51aec6e2bd26b1769

SHA1
a6bf74f069eef723e03d3cf084e671cbe006f991

SHA256
28a77f722d759c8a0c1c5c1acf62bb32f961d3ee9f92407758aa647c96a72b20

SHA512
6617ebfde2237377a490c12da2cadb1b57330e8c5b0fd6f4683bab0539d1912dcc13656d08dc5938aea39c70f25b885d9046251f860a924716dadc6ef2efdb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d4f700062c29e833309be6b9cd0a2e3

SHA1
23c03cc4adbfb4087b61efc7566aad0372807060

SHA256
9b2437e67cf512c443a708e74f0f623eb9affe3a92767c9e899de4091baf248b

SHA512
51d7f2ffc6203267d3bfda7a8dc471954ee55651365b8deb16b211f0b6e05aff2cf0a95f309633ebc10b9739a1c60d96efe5ed99ccfebbe67694f1b30ca0dcc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
918db4eb6fcf3b237b5043e0b90f8a1d

SHA1
e574c8ec2c70476ca9db0b9c70cb0b07e755e4ab

SHA256
011ad1cef83e920ead45a62be9e6878d17e6989ef137b2892f27e2a7fa5da351

SHA512
a025cbfd4c4e81910cb338ec7f58ada2ff2bd78bd767459a66d714ea5028e87abdbd631fb58aba7ea828b96819e11c2bab1a6817336ee3c89786cdae8d5b5f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ffffa4e3dde48989e2b20605ff9b6657

SHA1
300b5cc42147b34c521aaf9ad3a7648b15f9c3b6

SHA256
897ad415d085558ab7f613e38b81cf0d11eedb8e27bc7a5d6ecb323c88d79045

SHA512
02bd6cf3ee86d9e2651aea5183858892bd399fc7b1a4455629531a455e349b77b2138f878d114f7dfd05b6ecd5ff462cd395f715ae663bef03839181b485b880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d27afc1b3dbd82830db76297f85303d2

SHA1
12b8fb55b19493a4150d9a393769e2e5995cc89f

SHA256
d33451ae139922f4397a4d502b9417aecddc9426020f3fd21dc6a6c0b5a2dcb9

SHA512
f6c768a05dbb9ef3de20674b8f7bd69aa0b15bbcf3d2fbf20957f05dd9101ab1f2082e79b3bb9d09164aae5f96937cba8ea172023701a231e782c496349d0c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
36e429d6c26283d692a9b436ae8b3ed2

SHA1
52e3b36e2f5f444e726d7dba84d14d94869dd16d

SHA256
7358004c104d8e277d4f77f948ba01d04102c6a930eb2c887e006336e8a5b99e

SHA512
9b903122fead15e1b817b76a12f38550d43b0d82c772cf2a967f02b3fe5c52f04d0fef5a87f1507be7560143ea6dde9f334fd23f6aa35cc16efeded2c7aeac27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1d41caa9a774b0cf1b2b0f0ff28bc83f

SHA1
58ef6a65fb9dd2c167293cf934a6e95676150732

SHA256
043848ab952cf78e28b9971c00744fd92848af7f65c19e566d7cd6b894a46776

SHA512
9e813f2f2ee4593f5ca204d5145bff300cbd3dc46e98663f40dcf0e5c06277e7ddd1dea8dfecc7afb6ddd85e5d0ac7570f9c5b1ad411cb01e2ce8aa82d68722e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2077f45fba6820c4eefbebb7617b883

SHA1
d80c16d33faca1084b9e8a100e506c4759ca005e

SHA256
c1dfdda563f8e2520c98f5011dad34b54d6e59039e77627a1ac74cb46a774734

SHA512
f0f5106ea3a0a4e69ae07d1dfd906f0e2e957a0affd9f40a47241814c80b5ac3abcfff9f66b2325f585c91c77f815e45cbff48c2f54770c68bb8a60aa2fad684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
612c44dab0291d07ad82056f36d16113

SHA1
206d4aaa5f7eda6ea5c1c480f28802c1ee801d5e

SHA256
56869d4d4266e354e1d1b8174c20b7fda0e8fa5871dfa9344cb795a99ffc184a

SHA512
2e54baac19a156374ef51661db9411492ada7e2b9eb4f872140ecaec9a0516475e10b0d4d1d3d9386f76ea38a6fc97b4535de6ff6bba5a9e1494c7e2f52b3763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0b736a51bfc24deffc865de2f26b5fa7

SHA1
80007f572a391100c6a48e2a986765c2e6486aed

SHA256
00181b65ae2f73ddd2cc6d90c439d7118980e7b86437d6e9ff3ac0aa418f7493

SHA512
b33b460c23b84c0113a0e9e993453c20164ada7f7d8e4a7a7d8cc9225a14769d6619db6c91e0745ed8543ce01f5afa449519cfbe8aa14cab213446f161618589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6197794aae25e1ec5752a6a2744a8379

SHA1
34d2bd368410f565057631ecd79dfe4e06475132

SHA256
15fe314e83caee159faf554c31962e07a99aa48926169dc18de15e5d7adbad23

SHA512
acf0fc6ee6d7c5547dda3eebbaf133a568e01862277e401d1802a968dbc50921a33a50f23d7e5e21023a99f9644398627f9525f4b7cf2c55a4f951288642be51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c6ed8fd7660b08096e6f9fa9fe6d50b6

SHA1
3cecfdbb4e7aedfd0290bbae03c37549342ceeaf

SHA256
1c66e34cd920f180381b0276092d976bcecbb2f04b749688d7c60c08fa114e4a

SHA512
20f28532485ddb35ab61938c3744098f581dce3b5cd6bb1c408cb3fd065118bc8b52437ccb573b9155a1960e5a2856e22327db288c6dbabfc591fbb525ce42c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f23aeeb2be99577fd2a08f8610aca3f

SHA1
69865e40cd10d5baea3cfa8b732d802fb1995cd6

SHA256
8c875663877496a77abbeed51e982f10bbe82d68f1c98d828ca6c9ce2e2bef26

SHA512
4facf755d9e65a8f9c6c4d9c8af922e1ab54722b8f01e7fac3645b8e12125b1afaa0d9ad4525dbc052a55cc6361f77408879165fdd1668d14e2a4937c515b270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16d7e6106074813d54df6c814cc6e532

SHA1
ca5af448f175c8447cb622507ec35e66cb7b31d9

SHA256
5836bf88281ac492b9c409bce5ef6b6669a15824b893a0fb4f43b924dc8183f2

SHA512
b012df879493b5fa8f68ec4cc3dea46fc79a92c6c745d62d4d1242b5f78777602e9931e7af6fc302ef210f05745b99be317fd9be8d2d4bf676091a2b087a9b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe62d5f8.TMP

Filesize
1KB

MD5
175d2152270e3de0ee9460eb71082eb9

SHA1
fe8e4e98ad5af2c7f09fb8cea3eda76bf79b4599

SHA256
113a0e143fbb30e748aaab0c8e9464a47dc77df2adbd27811d1a03a84865ef85

SHA512
ba4eb4f40f9fab7efb5b3d972c892cda2a19a3b2918a329d1955d7b9c7e6d5c19115fadce17534bb00e246d5a8717cf15b2fb3df8f48bdda0f390ee1bfa0df35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81cccb99f29ffc5c33b3139a8fc8c6a7

SHA1
ae81d4ea86efe2186c309ee50bb8523b669e012f

SHA256
191010d80de9b52ca88a87f5934638bdf49b49a8061f0ba3e3dad90ce9fd905b

SHA512
1abe1a71a14a67ba77509bd6a1aab23131c148d6b676a7eb1c3d19d3c8cefe1817d14ac6b2b9bba30e2a17a44649f93422bea4e8b7f2aacab1372517ab63b192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7c6450880586f63a213a0033f1810e26

SHA1
aca45ee060109406552c1b1217aef6964fccb452

SHA256
5136ea4adb0b434b82363df12806a6cc46879ba62f548deff83ab873333bb464

SHA512
d3d20d5371b596671754df88a3f569567640c034aae4490fcd232e80d64af39b150d72f668b1face0013657070c754c725d8cf2abc01c59a3d022073a5629bd1

Download Submit
C:\Users\Admin\Downloads\Ctypes.py

Filesize
1KB

MD5
c47a7d801396065bdcb52ffc1bcc6373

SHA1
63058273602552527993a2151fe2526bb6151957

SHA256
db272cb70675aed5205c42d64d1dcbfca546a22627d9fda08cdd0edb2c8be1ad

SHA512
fee5f9a204990d31e6a14c48d50df93c03c8a3a834da1703a61e585e07bebec57c573d8514678438342267fd1c7a93a0a7defd1a06df28a004041bb559113e39

Download Submit