Overview

overview

10

Static

static

10

1bc0575b3f...81.exe

windows10-2004-x64

10

out.exe

windows10-2004-x64

Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2023 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

  • Size

    235KB

  • MD5

    f6f120d1262b88f79debb5d848ac7db9

  • SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

  • SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

  • SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • SSDEEP

    6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Score
10/10
medusalockerevasionransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">CC0C9EAFF659EEF20B7F70B3D575113AFECE0CB12B5AE86C15BC69901EEC0FDE4A110BCE527F88637D1F241C74648D2EA66F7BE412E2E2D97459B3CF3774E0F8<br>D836BE57536D0490FA0DB36C1C627072349E1062E9FCA9FA08310A7B642AACB907A49C97D44A6BB380C8335AB31BC257B745B088E1418C35EBEC84EC7CBB<br>C37BC333D05DDFAD1A2825C7C811B7FCDD0FF9841600D810F5230426E37EAAFF9A422FED6E77C230DFA809645623601504EF2634556F98574C391EB15139<br>0BE78D2D3FD80CDF367963B1D7436E89E39641D8831449AD7F3CE5A7E5CF6B54372902E50F4B0A1ABE768C13787763E8F3BCED4E54D43897CF58530D4EA5<br>6EB23508ABA7BBDC4919E8EB97E871402BB8E02B0E41C18DC0ACA607118BA0785C91963C00796ECA88D0241BE2B461830C436DFF63BB4E86B0A25A52CA2E<br>1ECBB487302E89C564023CCF2253F242C79856EDE10C534B19A72FCBE180B358F9731FBE2FDD2AA24511E297E77841B3BFCB627882A1CE28ACC131DD079E<br>66C2D787E0D929EA4FAB4625583975E8D9C79F79E1AFE00EE91827EEC4FD2CDA3805C70057778634B0A5D4DD03621D64B2167923A46148E3C8AEA6405364<br>1E3AF9EB0DC76496D9F5C32CDFADDABB88284E85B0BF7372DB2EB4AD54A07B2BB6F3B77E3AAE3A46E2984D0675E1814B469E227CDC83E6B11506CE9E07F1<br>8B0671E342D61A5CCD23848094A0</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Family

medusalocker

Ransom Note
Your personal ID: CC0C9EAFF659EEF20B7F70B3D575113AFECE0CB12B5AE86C15BC69901EEC0FDE4A110BCE527F88637D1F241C74648D2EA66F7BE412E2E2D97459B3CF3774E0F8 D836BE57536D0490FA0DB36C1C627072349E1062E9FCA9FA08310A7B642AACB907A49C97D44A6BB380C8335AB31BC257B745B088E1418C35EBEC84EC7CBB C37BC333D05DDFAD1A2825C7C811B7FCDD0FF9841600D810F5230426E37EAAFF9A422FED6E77C230DFA809645623601504EF2634556F98574C391EB15139 0BE78D2D3FD80CDF367963B1D7436E89E39641D8831449AD7F3CE5A7E5CF6B54372902E50F4B0A1ABE768C13787763E8F3BCED4E54D43897CF58530D4EA5 6EB23508ABA7BBDC4919E8EB97E871402BB8E02B0E41C18DC0ACA607118BA0785C91963C00796ECA88D0241BE2B461830C436DFF63BB4E86B0A25A52CA2E 1ECBB487302E89C564023CCF2253F242C79856EDE10C534B19A72FCBE180B358F9731FBE2FDD2AA24511E297E77841B3BFCB627882A1CE28ACC131DD079E 66C2D787E0D929EA4FAB4625583975E8D9C79F79E1AFE00EE91827EEC4FD2CDA3805C70057778634B0A5D4DD03621D64B2167923A46148E3C8AEA6405364 1E3AF9EB0DC76496D9F5C32CDFADDABB88284E85B0BF7372DB2EB4AD54A07B2BB6F3B77E3AAE3A46E2984D0675E1814B469E227CDC83E6B11506CE9E07F1 8B0671E342D61A5CCD23848094A0 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 9 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Renames multiple (227) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
    "C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:556
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4372
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x94,0x128,0x7ffa39cd46f8,0x7ffa39cd4708,0x7ffa39cd4718
      2⤵
        PID:3640
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
        2⤵
          PID:1200
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
          2⤵
            PID:408
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
            2⤵
              PID:2604
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
              2⤵
                PID:4984
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
                2⤵
                  PID:3668
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
                  2⤵
                    PID:3480
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
                    2⤵
                      PID:828
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                      2⤵
                        PID:1484
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
                        2⤵
                          PID:724
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                          2⤵
                            PID:2624
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,9868406577383033658,3779582882703392107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                            2⤵
                              PID:3624
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4428
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4648

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                4d25fc6e43a16159ebfd161f28e16ef7

                                SHA1

                                49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

                                SHA256

                                cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

                                SHA512

                                ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8009b81d-7ba2-40f8-b2a4-7a881bf959ba.tmp
                                Filesize

                                24KB

                                MD5

                                d555d038867542dfb2fb0575a0d3174e

                                SHA1

                                1a5868d6df0b5de26cf3fc7310b628ce0a3726f0

                                SHA256

                                044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e

                                SHA512

                                d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                49b75be6939bc4e5b0be014a93b2041c

                                SHA1

                                615dbae9dd9005b209bfa507b24a62e09609174f

                                SHA256

                                bc254ab1a7e577bfaa84d4f4601e8a3d80e1a8a59303bb232270011497b63ab6

                                SHA512

                                084a46ae5c316444ce43d3734977abd24b815a3920e01588dcb0bff70db9c3866750f8bb84f8be0aa49721724eb82f7c6af7d537d99fb93b5b59e6600267fb3f

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                958b3f12a29a7320f35f3a79aa86bf93

                                SHA1

                                9421f0c32372f58ca8234d829ee51cce3100be65

                                SHA256

                                1949a0fca16cbcc97ad2f522932174b151a6bf5af20a286e3fbdc1bd3cbdde07

                                SHA512

                                4f38e60fe33571e9bfefe56663bf3a133c7b72682e344c04d1c34880f26ddaba9d7df23adb6dbaadb6af993bf4a4534a9e6ac497c47fb6fc1477bd5aaafda884

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                bd0e250a62970d6137333e1c0fda3117

                                SHA1

                                6f0b9609785b98776c41dc438321b9f0c9613b63

                                SHA256

                                a57c03c402882c85ac88d7e39b47c332f562bfda149399f37e8ddbfd1c884c36

                                SHA512

                                62df6fcd35d27b287e76bb9603b09ff53697b89a9c964ed8f700c5048245bcc2b4b61709ada9e0f765edb71fcae468dfdc8262b9206f44615c09405d72c53568

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f14f2a76-a2ad-4bce-b3b8-ccd8c03734ce.tmp
                                Filesize

                                111B

                                MD5

                                285252a2f6327d41eab203dc2f402c67

                                SHA1

                                acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                SHA256

                                5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                SHA512

                                11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                a59ef3bc6a59734b6be06e9272778f13

                                SHA1

                                da35e6df74b838a72dd1be5d2a2127a2c42fb015

                                SHA256

                                64d242d0b5b9a7d2f1d9cda3975d28670665a7f085aee3a675d8d8d7b49b76d3

                                SHA512

                                48f179b09806ce5d9f20f43c97195c675effbe1af476a2c7b07753d7675058c3571fcf0f3213f8dd67db84e3a4d1eaac57193b05f1978fe1a99b1fea00784114

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                747aeb008759553195b28462ac6b9577

                                SHA1

                                f92271ba4721dd03d500e0bba00802e8c6f3d259

                                SHA256

                                c56ff5c685b6af95af6a2615fb493e301c4d980398390147d150c0d36957beb6

                                SHA512

                                73d8bff9c6d1013fdcfc6811b77b8cb62455d9c92777ffb16b225b78938486a84c9b37ace46dde7c646062d64030d56893938801f4593de3dcd643ada0be89bb

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                Filesize

                                264KB

                                MD5

                                dfe5e1158be9021f82c2b32dd20e8279

                                SHA1

                                e31c23b71cdb18d2d9e0f7124af3fcb067f02e66

                                SHA256

                                e2eaad3586a9ab4899b866d3cb45970beaa6d56ea44769b00445888b34325dd4

                                SHA512

                                a24cd8ea176370ddaf2e74600d3e01a36590577d991bee8bf21b2a8d22d8ed958da67c706e791186f518b6f476475abea8f09f2ce41dff8255c47fc8839064b9

                                Download Submit

                              • C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
                                Filesize

                                4KB

                                MD5

                                0578ba23380837e1bd112306ed03ba22

                                SHA1

                                ae92c5b28cb07b415c0047d98e024d2a12322287

                                SHA256

                                ee5fa1f19f39077106311e3aa35c78409282b07535fa7d0e1059e2a24e33b684

                                SHA512

                                94fd94092af2a013e15731551410e6a02cafa7e78f27372b8869c638bb1374724538ed3ce05d770b11532abb96db7e137018434b590b09e4a97288585d82b09e

                                Download Submit

                              • C:\Users\Default\ntuser.dat.LOG2
                                Filesize

                                536B

                                MD5

                                995bfc6824d39bfaf73494df1ec92460

                                SHA1

                                303d18530fd65ec551f5d2f5db84f67f1aa7cca6

                                SHA256

                                3e230d7e94ce044c755fa85c8cf5d3a7c0e706a4ce5e93980eb9b0c3ce437d90

                                SHA512

                                0e704ce8e4aea77925bcbe2082333dcb4d753f2b6aad9295cc220c632a0c90e115cde8e6025664179a0a847bf21c5234d07874e1a452b0d50680511be6f4c2b1

                                Download Submit

                              • \??\pipe\LOCAL\crashpad_3156_PAFMFVPTKQSFYAVV
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit

                              • \Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
                                Filesize

                                4KB

                                MD5

                                0578ba23380837e1bd112306ed03ba22

                                SHA1

                                ae92c5b28cb07b415c0047d98e024d2a12322287

                                SHA256

                                ee5fa1f19f39077106311e3aa35c78409282b07535fa7d0e1059e2a24e33b684

                                SHA512

                                94fd94092af2a013e15731551410e6a02cafa7e78f27372b8869c638bb1374724538ed3ce05d770b11532abb96db7e137018434b590b09e4a97288585d82b09e

                                Download Submit

                              • memory/556-708-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-741-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-767-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-0-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-779-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-789-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-332-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-31-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-30-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download

                              • memory/556-881-0x0000000000E60000-0x0000000000F12000-memory.dmp

                                Filesize

                                712KB

                                Download