Malware Analysis Report

2025-04-13 21:19

Sample ID 250323-z7wbfswvb1
Target FreeVbucks.exe
SHA256 df86bc46fdd921147c26c94a4cc054efa01bf2fa837756ffc0139171c8a388d8
Tags
chaos defense_evasion evasion execution impact ransomware spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df86bc46fdd921147c26c94a4cc054efa01bf2fa837756ffc0139171c8a388d8

Threat Level: Known bad

The file FreeVbucks.exe was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion evasion execution impact ransomware spyware stealer discovery

Chaos Ransomware

Chaos family

Chaos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-23 21:22

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-23 21:22

Reported

2025-03-23 21:23

Platform

win7-20240903-en

Max time kernel

56s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67mz0aq9n.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2400 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2532 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2532 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2532 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2532 wrote to memory of 1728 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2400 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2256 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2256 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2612 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2612 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2400 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2400 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2400 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe

"C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/1836-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

memory/1836-1-0x00000000010A0000-0x0000000001366000-memory.dmp

memory/1836-2-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afba56cb6fee3660b751b98418c1fdf1
SHA1 24364e0e691df3b6e7ebd0e142993fcd6b063984
SHA256 df86bc46fdd921147c26c94a4cc054efa01bf2fa837756ffc0139171c8a388d8
SHA512 dd138767c127af7e92a696ceccc3b304c99a52392c66d6e8af41f68be8165af55c99ccc62546afbec2da212f207e9b0a66968e73eaab4d3f2821172ff1d3a99b

memory/2400-8-0x0000000000390000-0x0000000000656000-memory.dmp

memory/2400-9-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

memory/2400-74-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

memory/2400-75-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-23 21:22

Reported

2025-03-23 21:24

Platform

win10v2004-20250314-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-308834014-1004923324-1191300197-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cdlcw2k8f.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\keys.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872385834919035" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{25B3D844-8D14-4F3A-99ED-9D19ED5ADEBD} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5156 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5156 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4668 wrote to memory of 512 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4668 wrote to memory of 512 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 512 wrote to memory of 5532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 512 wrote to memory of 5532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 512 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 512 wrote to memory of 3620 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4668 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1144 wrote to memory of 5216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 5216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 3232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1144 wrote to memory of 3232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4668 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4668 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1352 wrote to memory of 5736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1352 wrote to memory of 5736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4668 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 4668 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 5812 wrote to memory of 4852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5812 wrote to memory of 4852 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 4868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 4868 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4852 wrote to memory of 5152 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe

"C:\Users\Admin\AppData\Local\Temp\FreeVbucks.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbc05af208,0x7ffbc05af214,0x7ffbc05af220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1804,i,83034834535672270,7075751960562590028,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,83034834535672270,7075751960562590028,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2580,i,83034834535672270,7075751960562590028,262144 --variations-seed-version --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,83034834535672270,7075751960562590028,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,83034834535672270,7075751960562590028,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffbc05af208,0x7ffbc05af214,0x7ffbc05af220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1924,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4208,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4280,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4280,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4740,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5112,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5476,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4628,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4352,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5828,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,1546187389485670396,17179316766716046374,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.239:80 edge.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 150.171.27.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
US 204.79.197.203:443 ntp.msn.com tcp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.100.153.138:443 www.bing.com tcp
IE 13.74.129.1:443 c.msn.com tcp
US 150.171.27.10:443 c.bing.com tcp
GB 2.18.190.171:443 assets.msn.com tcp
GB 2.18.190.171:443 assets.msn.com tcp
GB 2.18.190.171:443 assets.msn.com tcp
GB 95.100.153.138:443 www.bing.com tcp
US 13.225.239.90:443 sb.scorecardresearch.com tcp
US 2.16.55.202:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 2.18.190.171:443 assets.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
US 8.8.8.8:53 browser.events.data.msn.com udp
IE 13.74.129.1:443 c.msn.com tcp
US 20.189.173.6:443 browser.events.data.msn.com tcp
GB 2.18.190.171:443 assets.msn.com udp
GB 2.18.190.171:443 assets.msn.com udp
US 150.171.27.10:443 c.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
GB 95.100.153.167:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 ntp.msn.com udp
US 8.8.8.8:53 ntp.msn.com udp
US 204.79.197.203:443 ntp.msn.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 img-s-msn-com.akamaized.net udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 13.107.246.64:443 edgeassetservice.azureedge.net tcp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.msn.com udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 c.bing.com udp
US 150.171.27.10:443 c.bing.com tcp
US 8.8.8.8:53 assets.msn.com udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.100.153.181:443 www.bing.com tcp
IE 13.74.129.1:443 c.msn.com tcp
GB 2.18.190.175:443 assets.msn.com udp
GB 2.18.190.175:443 assets.msn.com udp
GB 95.100.153.134:443 th.bing.com tcp
US 13.225.239.94:443 sb.scorecardresearch.com tcp
US 2.16.55.202:443 img-s-msn-com.akamaized.net tcp
US 8.8.8.8:53 srtb.msn.com udp
US 8.8.8.8:53 srtb.msn.com udp
US 2.16.55.202:443 img-s-msn-com.akamaized.net udp
GB 95.100.153.167:443 www.bing.com udp
GB 95.100.153.134:443 th.bing.com udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 2.18.190.98:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp

Files

memory/5156-0-0x00007FFBC8533000-0x00007FFBC8535000-memory.dmp

memory/5156-1-0x00000000003B0000-0x0000000000676000-memory.dmp

memory/5156-2-0x00007FFBC8533000-0x00007FFBC8535000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 afba56cb6fee3660b751b98418c1fdf1
SHA1 24364e0e691df3b6e7ebd0e142993fcd6b063984
SHA256 df86bc46fdd921147c26c94a4cc054efa01bf2fa837756ffc0139171c8a388d8
SHA512 dd138767c127af7e92a696ceccc3b304c99a52392c66d6e8af41f68be8165af55c99ccc62546afbec2da212f207e9b0a66968e73eaab4d3f2821172ff1d3a99b

memory/4668-15-0x00007FFBC8530000-0x00007FFBC8FF1000-memory.dmp

C:\Users\Admin\Desktop\read_it.txt

MD5 4217b8b83ce3c3f70029a056546f8fd0
SHA1 487cdb5733d073a0427418888e8f7070fe782a03
SHA256 7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121
SHA512 2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

memory/4668-85-0x00007FFBC8530000-0x00007FFBC8FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8df1d3873b50338c743b560fbf627e02
SHA1 5af8bb5bed32cf7a31b88886277952e513e67999
SHA256 69988a9c65d2b15cf43813c15c6ce94ce3b64371e120dfabd8c3692db5bbd754
SHA512 b02d167270afb508dd3c8046d38d96de996a2493804f1902031596a35ff4875330315daab35eb248897e295035949d306120765352dd9b5703cab167e7fc20dc

\??\pipe\crashpad_4852_WORPWSJDTUHZQAJP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 01cc3a42395638ce669dd0d7aba1f929
SHA1 89aa0871fa8e25b55823dd0db9a028ef46dfbdd8
SHA256 d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee
SHA512 d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 31c05a4f04cc6a759ceac9337e190b9d
SHA1 702350a8a1705e47f89ec1eef860e88c7dcee898
SHA256 c6764163aa9641606a706213fb0feadc78b45a4e52299ebe727f98bbfbb1286d
SHA512 9a6499e2e4c6838a9a56eb45df5124da8f75a6649569076eb45831acace6b4979d398d0535e0e03e2b5b62ab73f40ced37d31daad6f7d9bca28d766d333fb9a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 c6a0c395b80f62e169fb2e9d53a513a9
SHA1 5d2426f2a481f9f2e45f9b621d4f6db0dbfb843c
SHA256 c6afcf40ce45ae02169a84e38dd1b769f8f0c5b98e7e6d9ff88f1a4b0acc6f10
SHA512 f73278157d3136cf66acf0a236b84f4e298351d292516a37c836fce98ca417df93da5735d3005d3616ddfb1718a874ad65b88cd9ffa4dac6fd637cbf22afd737

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5830cf.TMP

MD5 4a8b26ebb246c8ffba8e28e876fff192
SHA1 20e6ad4a0886795880e36f5a25d94503aa3bf6d5
SHA256 b6fc6278a4f46c5eb3bbf4f3c18d8796ddd3995fb9f558fd7e8391ae4e9324c3
SHA512 77c00977f06e23428f08a27d7f2bd3f63a038176fbd5e0a772361f87a4cf37b18939022ab3490cc84f3a22f2c5050e4a9f19ab8ecf4193f7686cff59bdff7569

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 565c52f00fc5d707fb83767108dd06f2
SHA1 37ad8b0a7ad3536ac2fe1042e8e52c2071892786
SHA256 3eca987035fad4468375a73106413b85486e654bea7b9a4d7c49ccbb5e5499ba
SHA512 2bde95e607bbfb26137431b9a629f1a3144b1b84317e21f01b66985dd0dca7b16fe87f617b3ed97f19f92155103b83c9635ca93468e786e802be14a21a681f78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6788572657eb6fa372d5e8a3ec1cf507
SHA1 83882e4b1cca4196eca1fcba54dab971f07f422c
SHA256 033d59284edb09e366a763565ad4bd7730bb1b50a8f6030c4c65fccf300b2872
SHA512 6eeb405dd164d019b05798a36e05fa67e4fec6acbcd56e0772a880df32a0a890e7f52194f317a38383861185aec7007e9e21ca2ba3c2709a5f6718c85c243dce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6be0ea5b-0c11-4491-8571-7ff62c7ad5ee\index-dir\the-real-index~RFe58312d.TMP

MD5 1c51e38187cef3653e18ebc375f5a782
SHA1 7f60a7fc336503506a5489bf0d7a28445ac6ea7d
SHA256 8da0149bc47b4d9404a402b7e9ab7476186c4d0a37a0afc09ab80efced38d24a
SHA512 d330a8e11788140026accca56b169476464864e7dab1156bf589eee1fbf203d1717f8db39a3c36d05f141b88a75f1f185fddbcabe0341ee6456fc64ab5595eb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6be0ea5b-0c11-4491-8571-7ff62c7ad5ee\index-dir\the-real-index

MD5 2c921f5b30f651369c6182b7899735ff
SHA1 5f153d87aeaba71b707cbdcf0a4393dd5d4dd752
SHA256 a2cbfbc4e8fc69973eb385e297c57f3f0101735c689d03f7bd2ccf6d135d7b42
SHA512 0e3bbbfc939067c60f02d3aef64fd8d581f9919729d832708a0c93ad891f6d287b3c9409e21dc77f14ff730b9df342db377e9b53333456baa6cff1c51eaa31b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5450e85e604ebe5f4408225f2e747c60
SHA1 947f1f7f95e8d27f707f9696d151524f53ff21ef
SHA256 603255d16c3a856ebecca83ddcaf2a2adb98331f610f44fc93ffaa20ddfdca49
SHA512 c1496c4633bfe15ca896770509c9f02fd7445d2a0a943b8c77dc2709fbf98a7f2846c606da1da47e87b786d713de73622a88cbee041f3cf9f7d5cf038b736735

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1785b32bcfd1ffc7548fe3e17a7ce229
SHA1 b178c3031f6efcf70ad6bf7fbde88ccd00bb39f1
SHA256 629bbb474ecb388cb6fa6904eb2b3af6ff92b9397baac0010edc69f58ea06875
SHA512 df117749b3f6dd42e0bb934046670ef3d406ce53e84cc77d3132e6a048341519f2f472011831af383572f712563cf9109e976494f5dde8c3104cf83ccaf0d08a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f9fd1bd4-3821-4fd8-ac64-8914ddd027c2\index-dir\the-real-index

MD5 8fa479c08bc54a17c21b5e68e0a43a3e
SHA1 b5be2672df78f9702156ced3a6fa7ef8d04a2b45
SHA256 88e0a15e121b6ce7a61422b3a7141b271f68e98fb5a2ff46023e16fef686ace8
SHA512 edde899d3cdfde79397afed3faaf4b95a8307cb1d65096fc753669131dfc8f1fb26d8e96459bc03a12fee621bcf62838ac08c8102643be25329631b60dbb78cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 24c10e3bd970046dbd3723aec3a2ec8b
SHA1 cc3a7ff5d85827d9d49940ee989604163a607df5
SHA256 2aa7227be2b9a1b2ae9de749f77a6490327d357e512839f7e0bf10460feaf0ff
SHA512 15d3b26158dee8aeec29ab132156fa6397e6ea7db0da524fca5374f678fe53bc0212cead262377f68164148e33faec70fc6ca9ae2a51cdc06680131c2ba1bdcf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe58312d.TMP

MD5 f9af10c6a8b5da0e7e3b3753bf52f8af
SHA1 f9f9dd3419cdc05a23733bb95b132f3d2bd59a61
SHA256 089a3963b34187cc45bc9f18dd579e887bea37452eb00b8d6c88440d483ccccd
SHA512 146c19a12f818683dec117ff0d371bc98ab0cd348b0604bc7675559bc65b2e07dd7c835d54a0b87c9bc53073e4b066276139954d256278ce20d1d02b97ae6eeb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 91d288b217b66e4aebdcc493ffefdb39
SHA1 ad7666268dd1670a6592056ceeb971bb80951926
SHA256 d94b16449f7df3a7f601d8601cb70f21db68cd269acbfc1febdd9a1970d77390
SHA512 3597590f52f7203280d677a18bc95161b67c4732d85b4803a015749cbf9d0684ea94badc2aef985655aef5fbf6bd97ab0d755fc3d4fee10ea598b976f4bd028a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnWebGPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45da122a58280400cd77b8e18d5cf9c2
SHA1 33ede776eb01cdcffd831480e61275865c4c31e9
SHA256 abc842a1dfd5c270fd8c6c02af2f299be8d29acb08bdb1a80d1f0ec146df4b95
SHA512 3509badf678b064295dfe7b7e703140d921232dbefa52f69b0c469c749d1aa69e5614de631fe5d74a2e6714cd88849bf7b5cb349882b1d60f6fc1f73fae81269

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

MD5 f732dbed9289177d15e236d0f8f2ddd3
SHA1 53f822af51b014bc3d4b575865d9c3ef0e4debde
SHA256 2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512 b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 3e45022839c8def44fd96e24f29a9f4b
SHA1 c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA256 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA512 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

MD5 2e60dee706ec396ee75ac892b371f2d5
SHA1 37faa02ce922df86cb5613c0ce5f443ecd2a9100
SHA256 eacec201cd16a8ed901aa6d4ada2fbb1c4c4e47e2369a242d40fc7c99e1e8cfd
SHA512 e323dd75a7e5f2c9c55fd617a558653e636dda4b8063738f0355ed5e36721533ff5215756303c2200c7e40c195acc104ab2f6288f816da1d798e2806179ce32b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json

MD5 18261eb12378081f939fb9415ca0c9e1
SHA1 20d4ff782e17fe45e71c3f9fc60a94655f72ec7c
SHA256 12bbeec9a0af9e3ed945b28b9b8ef89b2f897768d1ba3ffd6f3fbb42fa5bc556
SHA512 fef634b4ce77c2f36ce1bdd63e8ac28e76cd089f0bff33f4425c757ddf37fe9fab30dea7b5bb51c91eb27012cf78800e03643e13d51a25bf624ce58ab3488a80

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

MD5 faa92f7465e47570654714d7de960665
SHA1 877a0abb17fcb02051e08860b956143ef8abefbf
SHA256 bc8d973e05cbd1c93d82d0bfb0f1ade282cfba4fd90fb5005880efe5e46a5bf8
SHA512 abc4eef1398eda961ca21c87457f57e17541f5578f047dafe3681d504e9844c2ac6e7edec4fe57099fad2401372727aa07019cd653777ac582e6a67797439881

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3

MD5 fc6b49310de03cab78753f0e3e20f846
SHA1 1cb7e824307dff0ef6ac38e401e4d567ef70f0b1
SHA256 ce52afc61b3dce3682a7fef87eda05feb5fcfd628de1ff77d28c9584cc64d6ca
SHA512 5131c6465febeab21724635ca4fb4f22170d2991968bc17501c06636daeb9998a410892aa108f27f1eb00bbafbbebc04a919da695cdbeb2c60fa4b5fbbfc8646

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1

MD5 7b8a93349d90b4174b87da66c82c2f48
SHA1 2ca9f012267575e35ea7d988029adf305b54b3d5
SHA256 e250c17d0f702bdd20b4463078135aec35ed30fff280c1c2bf86c08ee249fc70
SHA512 0a24f5515fc1cb737994b5bf0fa4c3a6c301076c945414411d80d6f037ff95c503dc31c9a8559e18f17fddd48333063babed32bee883bd24f54fe19e28b980d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0

MD5 6a8d87f3555edd06e1f21da4c32885a7
SHA1 44f7734ed4dc895180dedaa1ef44b3472120a6cb
SHA256 f4dd3111ef68cdaba985c34de2c18b10b6c1c42d092e76419f55e67c82ddd7ad
SHA512 344b52d81918fe03d288a1c11804392c15d09d20e8efebc80011a7d08b96b0fc544929bb5535e23ada06c7455375f94607bd61e3b20943c52fc2917a9724dd6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 b767e014bb95f176ac4f2adbfdc71192
SHA1 21e911cef25272131a6135d407a6b0ee37ceb52a
SHA256 940a1e356e96424f8a362a45b2a5d200e2152f97d13b56abede34aee6bb96cc5
SHA512 3089fab5066ec7b84c215a7d8f12da0814aa7b77e717444105115bbc855e21a23431ed3b2df07675b2dc9cff4172ce41649df038d0bccfbabc3110ed75d7a7e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 e23793e26fd91cb48c41cb5e6a1a0b9e
SHA1 1780e3e38e966cc9815d60b658206551d4daeb4a
SHA256 90da225065fb60a8afc30f99e0245dfe94486361b4c4eac43ca8e60144955188
SHA512 e1977390d6aa0b5906d46a459de50729e94d15cf43f5dc22cb37ce2c64f0cd64aa571e3cae785a6bada933800a95cc4007716d5014365cfa8b5e5b84c09f2f73

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

MD5 ab6466ec2b7e84cb638954ef8d3cd5a7
SHA1 8c58ff52f4ba862d406ea0dac34a6881211a7033
SHA256 7e17f43a853dc1c30b28f7a8db61a74080d7825415fa8716ec23cdeba347faa3
SHA512 ee3c23d43e90480276757b53b6c1d02f912254fd08475deb2bf9006b8593354d5b8a94839bdba521319df5e56b61f9f7bd8d86f340a373de4285a401e8f4afc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 97ba8d3f47e12a43cec79c44cc40dc16
SHA1 78991d4835e2b1fb3c8cde560b365b2f3107611a
SHA256 6d635e280d718ad42b604293865e02586d04473280ef2699e88eeb31486a4667
SHA512 004ff6941bc8bf802a8d4704fde78ca91cd72db14264469814b4819b553e05d5bceea5fff8555b69e019b30a408324e1e8bf6d46514b0287009b821c201577b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 e253f7b9a98c9615239b118d6820443e
SHA1 8bc2cb792622bb9e04205f14767dba7eac352156
SHA256 59bc47adb52e66bb7054dc0c04cd204b69b11e109a44ba5eeea35eb2d0dfdb41
SHA512 ab902980f27d07e710295ffd190605e0f0526891268e10fbc6ae27826a86e9ee8836e46af92ef8f1c9ba3bae819ca35efad60ca9b32422dde2d44da9bd6f66d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 594e4311ac3305b104c81d3bc62ab5e4
SHA1 44e877858b9fa95400518103621882beaf3ea845
SHA256 b8ff2608ea8f19ca112ee2488a0728d5413d4b0861f192704a2f992d5de91573
SHA512 41cb183814b5fde5d6ee00f4cf516767bd53aef5a833e7f5c2472401fb31fad31a226b25fbdeed6f184742c6f61f7cfda3a321067b807831a4ac2ef984db72df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 49f7e12559ccbb4b2b9b381a935da9df
SHA1 e0136c480cfa665bfaa8925daf3f9dc81e69efe2
SHA256 4057411949b9bf89e98c82e30f378195f935241e0aa8148cd5f8a15d96614231
SHA512 453a46d1b46b2af0c41f1006a213b87c1f97c71dbaa3c713f9dc0c05d333e00b16d2e6f3c581a8aeda375a2100c8fa1f03464514fd641d5d22321fbc7b3750ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

MD5 f02ab6f6b346048d7851688c8dbde8ff
SHA1 bc357e4f0b80c59de2603005db0d727d88c19640
SHA256 25f5d004cedacab3d4eec8ce318f7e65811b86bba610c48ceeb42dc65d00d9c0
SHA512 d88a9a9b8a778f274468dcd51e7cba0e625d21155abb034a023b30558aa86cb1475d96afe3f258ad52ace96f72f1288f600816ea4b2caec37f4f5657ee02c94f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 9d71a658cc248f43ec1edddd6e9cd86c
SHA1 5e42363447ef2c79df771b7604af304927d30a63
SHA256 89a9a56b1762c3ff21f11fda257f27de479785e0924722f439233f63b1291cf1
SHA512 682f42ffd4e2754187788acd560a0e6e099cbc8242c47efdd1609f41b8853c7fef89604e65374de6ae432f96459ae754563c9b6952a8fa10fc21ab06e0db265e

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 db5553f309cb7d2327796baf3d7cb104
SHA1 d106561ea32d891b48260ce9e3cf185ab1105002
SHA256 bdb2111002f691bfe97eb01c6165f9879c2e6aa5b97ecdd4a6ddb5eaa88a0f14
SHA512 25b81fac19e669e2de213367780fa488f0fc752f21ff1800b7f9de065747e091a90519b7c42365584efd8bbebbae4453b0d875a6e96054c24300147c4e64ab3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

MD5 e046f329c0bbef0442009b7b064b60c6
SHA1 fa1867488ebfcbf75d1fad2010ff104f3e75aa57
SHA256 0afdb08c0f6f3ad8fb515f2157903fca11ca009865f522d36b6af9bd815b3472
SHA512 aaad9ea8e20b598d5d7d04cfca716da45f56222094aa071a8d957c9470c9cd9763e8dac3f6686b0eab2d76c4ca8341481cdb98d208c782724416499fcba8b88d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

MD5 d2d2bc1208362667508c2bc915538596
SHA1 265e0244789ecdfe2bc24cfcac415b4c15d14664
SHA256 1eece6660d9dec20439d51b21ddfa17b0a3739678b80e642213fc322b5a949a9
SHA512 3e7f0f98fab5d0812eed9b78f4cc7162b96248d0ef44c73285dbc1ec86867ece2296dd41362c829c1bb0958c310efdb8ce21235f0d66b5a8aa7705de4e3f68c9

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\8b0d4544beb97a69dbb9583fca5575a9aba6e37d.tbres

MD5 42b92ce8a3d74e04404924af0bbf927b
SHA1 adfd3cab1dc07c1420c96a31609472f9e9ee4a52
SHA256 4afb52ddabe18433a996644b9f754873dfe7dbbdd62094afe58986fdd45d0890
SHA512 cc7c1df64fa8aa9e342dde678dd0e1c3d995db0196be7312329605e1d5761ba57cea68298f4a82f47bf5c2253d3f39f1274f557d1daf19a439a48e3edad8299a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

MD5 a581f134bff2f6033a7ca091cb986787
SHA1 580f1e459430362774f47d74036b29b5d7a1399a
SHA256 25481e7d7cc31e3a0c7578910c8f32d72373f7cd0086a60de97bf4a57b822c12
SHA512 d90170d4e7b6ae60a5808e4518070376df78045ded191698b5c41c9e0039af58b5061615f2dbf4da905505a885f054a663945c8a132ce85b22661462ae684dc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

MD5 17e21dc3d8c9eac495dc8449593897e7
SHA1 a8dac04430026d6d3a9b380f26ad78189a77dd0b
SHA256 d6118e4f2ccf8687e7acae8f0e663c432999c4e99975bedc295b06b494918e9b
SHA512 52a57e96a7aed282bee138584211a89f8dd58e5b77f3f11ebc8d098d537c6eda542f99fd0bfd887e703ec303d08f390934815c518d7da95192f1cacdfcb4394e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

MD5 9e70e30e06697f793baca6e57df40213
SHA1 d9ae5412030d8e38d945b2ca19030ea211a36c86
SHA256 81fbf5f09a94780dfd6ce095615dd759088db8cae3edb43eba772d95484a62e1
SHA512 5a760db3c8ef89e6a8ac131180770578c70fdb7fa6615b888203a0a0e498cf062e7ee57afa19dec028acdf60df4253a67c127d93a76cc7b84e337aaf2b47704f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

MD5 765aab9a630cede2e792ff0351339a62
SHA1 875c7393816e7db449f8b6742a4c2711bbab5569
SHA256 c91ccfd58d94a529c0b136d4a98bbd51236c36b77caffad96f6a05fcc117b5c7
SHA512 680c26888744ceedd0f6915d4f1a8431c27e4c855d6ab036536f28e11d243376c03707fd173bfc2a07a261303d86dc512f0dd6cf5251737b2c37c6b10e8957be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077

MD5 8fdb7fd5185f8a2b355103dba619270b
SHA1 272e4e7b4ae0f13489fb03b8210080beaa39acda
SHA256 15d3840593ccd0e22908b868ee43f9c8048d5b8dfde9912786a622957cd96975
SHA512 ad7563c5c6a5dc04364d0e583785c3e8e723bf5dd31ec5556d01b4943848ed55471aa7f9052bf2d86740c78eee3f1dd9e91c840fa521589e3a231796b6448c85

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

MD5 f5cc4d509b5d57de60130d97535f470e
SHA1 4b68af6691120a851c2284c6c12cb47932ab19de
SHA256 fda46f23e7b58e55d210c18cc53ced7bc2927e34f60e959fcf4d10b1a213eccd
SHA512 ddab26285ba92693969aff7fcaae2d2ddf91da658166f67b4321909c67dc2b085b0e64535f677eec3ddc4e7e35fe0a1317b3491d77a8317b950028d267f8cf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

MD5 3cc1b3160bbe368d71d3b49ddcd7316c
SHA1 f84a32bd2b29630f441e06dbf2797aae693e0c76
SHA256 965c3706763a3a114dbb86bbb7b83aca51c45dea2662c66ad3c61fb8b4fae143
SHA512 138393f440aed9be33104348b63fccebbc68f3c558199288fb0c9dd83af87ec00c57cab3878f64d243f43aa521d0d9d0abf9dd124bce1ea0097515e1c99ed0fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

MD5 0afa85a90e6e176ce9c70f5f5778b3d2
SHA1 e0353dadac57be2a5402a95212e96e7fb3f11ff8
SHA256 f44a08830cb2159842c12b6c96ad8a0ffa2a1fd5c0a1aff551b6a42cbc02558f
SHA512 49a03263503f9ab68fdf04a86ce0eff6a73303e411ff3ff01acb680969977e03d1c3ac9e2806827dbb03fdf066c74e4c9228aac05b7fd323597046fdfdd51676

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

MD5 1c32e29eba36dc7f305bad5b215b6640
SHA1 5f0617e4f7e0627923fd2704d11e1668f08be10d
SHA256 fedb29fc81983119885cd4ba4f7540f047552e042cac50569127b113b50caac8
SHA512 3fccf724ca1fe584c588fc93212b916de1a57644a321c9f5c0b04ce1b8d8f66d5182a1f5fb1e58da4d25b7bf5963dce5a85fc02844d8d4b29d9dd40beb6e810a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 42682d2cb7b92224759a018a2976f723
SHA1 1945a9426b457747db89ed35536b8167392e87cd
SHA256 3cc8f31aa32f46dfe5033f81fe1b931a5a32658b17d4e24154cadb4e078e3a0b
SHA512 a24011dc1944d2f71ba5e704da4d091429c12a43dda7c1a338bdc54aa8c9bcb910fcd6c6a73a69c447504245b8be8ecaccdcd30fa13c76cbbea9b12caf9d7a3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

MD5 f202424d6639d345e0c5764370ef9a0a
SHA1 c270665d7e1e6a609c8428760aab0244ad4eeb94
SHA256 984864579339295016126be857cfa054260861d8ecf760e8bddcff7b7ee96deb
SHA512 5ecfc8063450d3e989386bba1e95afabc899deb949f3b0be2b143261e4535a4ecd6f3f23fd16685765a2b83083f401d8e8ed8369d2d1ad8584c2a5b51985b2c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 89cb527cbc3e755c656eb273ee215367
SHA1 28646f1fde7bc6d67395f3ed4a8311071944a9cf
SHA256 a4361c6c973497a63e310f8c460ac361774b5dc002ce51c987460dc50d1dec6c
SHA512 7c27a1d2e7128a4e8a93192caeb105eb56141115e05b146838397dee2ccd4af35b092f2f89b624f797ab5403216195650d0fd52ff866d6fda266396f6ab6a845

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\LOG

MD5 e53ae43dfa325054552f8607c06ccee0
SHA1 3e30d532b60c1148288189c8bebd4e5c598ccb59
SHA256 7c2ffb6c654381c654a5f2db1aaa61e57ca95f8395bdd5aaa12d6bd7fc043e0f
SHA512 0f6589b04cdb91677d7d61d81149e6a03d473db2685f3af1cc734faa742f030023bfebc50a7a52d6af1fa27e26fb3f01b7f1421a7acdde7ad22953b16b546c58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

MD5 6c5201f337641cee957641132609e2e5
SHA1 2e75f95d6fad7402b6009a034217286518a83ca2
SHA256 77caf148e46bf8848d70ffdfa8a274195fd00e0262ed2dda4efa6932b5d987c3
SHA512 2329a53e0a23bbe62d772365068d1fe266e7e10fc0955036989a803f222bceb595f2383b01719fc2b47e26056a376beda0f7519ba8095b27021b7eb1622e4979

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebStorage\QuotaManager

MD5 29c5f158bc7f99563b5ca568d7524d88
SHA1 e5a2bdf443d80761cda5f714b23c9c3ccba7d9c5
SHA256 e7e9564b79026555286f3d68b32f132ef39a44316e27d05380c9b66f66415792
SHA512 8541ba8a8962c0cb29a6237a170d76c5cbcbd7c89808888ef13d23de557293214fbcedb3557a783cb9dd48d2691cbb858a42ddd3436be1362544c943fbc1bd28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 a694d1e4739cf2d6ddad81b7399160e1
SHA1 9301b6efac44aca0a39e6976a75bd7aef7147bb9
SHA256 e64c3e2bd1a4a209f35fa1c4aafb260466a12c7f6f0f2d80466fea044f55e191
SHA512 bb8f3af3102c2f7a88e6e9e398bd50832066dd49e1d445345f04cd95b0b2389e1705e078e17e0ff7f1ca4a5cd1c64002a3beb132deac6afcbd9522bac504d2df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

MD5 5af7ea9876cbfeca14f332c8f316614c
SHA1 f4b2b63ffcc6ff776495c9247fd2c3f9a43903cf
SHA256 5cd009aef827c347652ff98808a6a64e6f62f73f43c6bb28d6d2fc3186783705
SHA512 561f0c7a59d86ad4757c02423e6b5051e2a3ca7f00a790e0f0a3aa1895582b134508f8612d0eac9981dfe6f09b5016e7afacade625a1487eb27bbf125a307454

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

MD5 b0793d80d64692a25ac3712bcf6730c0
SHA1 c40f191a37747c440525ccbf13d4f3cdcd7b73fc
SHA256 d3731ec65626e057841b832dfe52fbc1c34b732e0d8d1a2bf7159db7d572e1ea
SHA512 389fcc195f5974c402a2570d4437a4389c8562ebafbf840e8ccf43e57dd6f357fdcfd02f7530f4e931decd2f468b98c08f9da443fdf9a6fe4496901baabcf31e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt.tmp

MD5 1844ae941c237a3deed6fb9b8bf71c4d
SHA1 3e50aebe763f64e34e41ff3d8eedbc25de81419a
SHA256 d8387a415f8f17b855e42a3180348b13aea255592b07902d1d8d8ddcdaf4c046
SHA512 95cb0a1e58575411bd6a0a24dcca8ae06fde668c5f1482b08b4fda7f696486fe43cf51ad363a5078d372620e61a796154ec033c2d5ac000fa53f76d0962cc146

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3d7b7d6dd3e205456a31f6af827a3df
SHA1 56a7a7616ebe25f6fcdb5b1c9585f1dc473f19b5
SHA256 fff13f149c7276842c99f85832622a2f2991515fb3f66f51079bff3c5f7dbd7e
SHA512 5ae50b4adc07889b974683b4b455e93769190745e82ad1ae0e2ca3f13f1fa2dd385ef561a87ef20de9a426dbb7198b077b648aaa4a0877d35f490e3dd16245eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f9fd1bd4-3821-4fd8-ac64-8914ddd027c2\index-dir\the-real-index

MD5 d66bf73869d8e04fe45f99c2fd1d014d
SHA1 808a42333ce5b4842e3802236be2182b50ec65b4
SHA256 a9bb404093925a9ff95fca710b323e8d0a9668ecb1a35cea8add284308674da7
SHA512 61b32e8e58f75879eb541efb7ec90328a5830a469d7d63fadf073a0e108543c5afd19000b62a662ee8b49bbab9e44bb4211ef06d9041a9ec4c19f978c1dcd8e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b5e3c2d0-638e-4222-a1d5-36828b7533c9\index-dir\the-real-index

MD5 b3c8a0d818f247709c5fb02a7fd075e8
SHA1 38d4a5b1d3b1459929ead0c8e41d9774d7e291e6
SHA256 5cb531fd7a05dd411eda324ef6a4d74847f5c0b1abd30295253458b896fc5b4a
SHA512 6b016b5b558a94b5912acedc7013e15f2053c6e86f81c22a710bcc5711cc8c846bccf181ff05ec530efc0771975ac6291a66871ccf4fc5195370559ac8e72d96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b5e3c2d0-638e-4222-a1d5-36828b7533c9\index-dir\the-real-index~RFe58940d.TMP

MD5 f628a776cd0932260a176ee3629e59e7
SHA1 61436041db53a80b09676a0938b34de638520905
SHA256 d307f07bab1f684ec4a96e21bded06b3861c23856fb7e12c118d02f0d0356477
SHA512 93ab6cb09f249fd4d45972ecf3083995c25c92351f913cd63037e2812d965333ee11a237601b8737834d6ab55a3c48d695d64b534c58bf4b670a9c7e00747a6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 e4eba6b0038c1e4d1e56938d6ae4e8b7
SHA1 27fb173b58fdcb1258bda19c87eceb316114d4d9
SHA256 ff48d812a2646df4b6bbb2249db305a739a16f18f7a1cad668fa289d03f752fd
SHA512 684ce9d5caaab4ee55f9758164f4589bbdea81d5346fa4cdd0456fa4df2472d44f39a61f0007ca30b4ce39e33062f63a43b1af330c4cb7acf89dfebb9274b383

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1974dd2b1f11a8292527d7025ec2c8df
SHA1 048903998ddc54725c3ed2c8faf057bdbe13acdc
SHA256 1d6255e2ebb18c5480d93a1979fedc8192943bb17e992ad89272e66648b1da90
SHA512 221ab4def5411864a2c622ab1aa30468c85daa487c82e806e755c18e4a71c16d1ace3d17e39ea31b5957750f52f6c8424104f5ec6cf16962a06634e34c62bef3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6be0ea5b-0c11-4491-8571-7ff62c7ad5ee\index-dir\the-real-index

MD5 94c9270b25935f97206bb685658940fa
SHA1 3bbe51e2f74cca65d7bc8f49e1f57997e4c6f215
SHA256 eb320813356b347cf3d9313398c71d03c01eaf724e4873cd055bbd7618d12bcf
SHA512 30c221747715e02b3ae516aecf7cd2b575dda45cea40e21b31e3dbf15197c67f951ba1e48d620d2568e7bd9b0926692b728cddbd217fbde8309d659a90eb138c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

MD5 b91722444f05126803adfaa47cb81011
SHA1 9b53ce6db7aa0fb6f5d3f120dcbdb916e73f98b2
SHA256 9f8b7fe3264bef601ded674de8c3adbb079838458f086903d4fe9b0c128df97a
SHA512 69c299ee833712a77e991138d7f3f6e20a41d8f91e5ef1910e3388e979d0a70893d76ce3645506eae1e5ec2c85dc4d26dfec1c22b9aa262f9d38a89ee3c139f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 37bdded830961585a88c8ec208d31fc5
SHA1 b190232593f3350765e04f35688d90e9929a1332
SHA256 75e6675f47e4553a187f8cec4f32359f566a9b6a98b77ecca722f2821e9a6e5f
SHA512 d54dc597203987f41ceb17d4c61898abfd99bbf2df2eeeb6f64b18cbe59b6510c960494532239eba6330ca2606f45153b8ddff164d37349592551c5933080864

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 d6fdac28baab0668938805806e1da0c3
SHA1 c4f6386255792b05a46f1aad5f675f04ffbf254e
SHA256 94de565e3bc026d06f2d3eb72d51ce103fa8e9d9720278f4596bdf88f9235f4a
SHA512 1d9bfcc4beba620a4a703d383475c3861079abc3511ceec62353bb0d05fea97b6b42c7694a06e70a1087fb4a1f4582e9af646b3190365fd7085ba9b8c758bf8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 cb1a03adb6415a0ad22ae9ad1b009b81
SHA1 81589569c3b0fd2ec09272c3d773b0c6bde62790
SHA256 c30ccfe2b91524490f08d3164a648640f0b6a6231463c48901b2721ce054ae58
SHA512 7c9e01c7760e5edb1b831f165d740381fac8a433b780ec042926a074428a1577cb0f6a28d7419e66bc7dc0c97967c840b0d0301edbe018031126ee7040225198

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 41c1930548d8b99ff1dbb64ba7fecb3d
SHA1 d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA256 16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512 a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 07de89f5245e0e0ea4f215ac8000e96b
SHA1 24e27fb793b4036f1540675c8d423d0b9b863e6d
SHA256 98f78f739cf1681ba10f6e3fdfdeb688907ef1d4834c9204465461bf26bb9505
SHA512 05110920d46b1121af595f8e743e00791da7b57092687073f2f0f25b2da6296feeffc47baa406cb1d5050ae1778ae66d2128941d66fb892d327687995fc31522

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eefaa285dc0e26229d052c11478d592a
SHA1 022f987d8f221fdf29617762c776c8df7e6780d6
SHA256 f16693dcde0634a550c31a0dab3341f10905b379e4618808d2aa4e26ae12cada
SHA512 494410dd6636543560b47e3b234a938c4ee5ee026c62523fb8dd8a9a289b22972b4e83d8e806514518497cd1e79ea5eb88200a074be05bf962949d3afa88494c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 b141869489ae41caeb15caa77656691e
SHA1 296cd39a29d68efe55be3bceb5072cf12c552d07
SHA256 ae088bf56197605820beafd283cb372d2e248a2400ebf1c057159b8ff081a0a3
SHA512 c28eff838e508b216fd173c24ee1b13c011019520cfd07fd5dc92a169b47fbef5b1a998f7153507d0b9464a474d554925b61dce70f0bacb33deff4477e9a3225

C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\manifest.json

MD5 c3419069a1c30140b77045aba38f12cf
SHA1 11920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256 db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512 c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

C:\Program Files\chrome_Unpacker_BeginUnzipping1352_89810460\LICENSE

MD5 ee002cb9e51bb8dfa89640a406a1090a
SHA1 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA256 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512 d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

C:\Program Files\chrome_Unpacker_BeginUnzipping1352_1725998183\manifest.json

MD5 7f4b594a35d631af0e37fea02df71e72
SHA1 f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256 530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512 bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

MD5 bef4f9f856321c6dccb47a61f605e823
SHA1 8e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256 fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512 bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c