9d08ae69118892ea1c52c7de851489669381d7f22da553279f7294a647428dc5

Resubmissions

20-04-2024 07:35

240420-je38lacd2y 9

19-04-2024 20:29

240419-y9v8ssfe4z 9

Analysis

max time kernel
279s
max time network
284s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 07:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T07:40:47Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_20-dirty.qcow2\"}"

Report Analysis Logs

General

Target

Chaos.exe
Size

14.1MB
MD5

0f2af0b53a994fd35b805fc145d75d7f
SHA1

605eaa911754fa8f52af25d292b7230bb5cde454
SHA256

8468e629d2bd9b14889e565066bcaf369b53738eb01d05714e99bb16c59d0c07
SHA512

448ab9b91f082050b290b4c21be98ed3c89697f501cc4e7e33686fff9b75ab6ca48900b947d1da5337acb30f554beb96b95ef020e6157101d17eca2879a72b9c
SSDEEP

393216:jazOUkLXiKcjFVA87ODedSSCnomX/+MX36fqc4GXRF:6AKFVT7dSSTOPXUqcB

Score

9^/10

bootkit evasion persistence ransomware themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Chaos.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Chaos.exe
Renames multiple (150) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Chaos.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chaos.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Chaos.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Chaos.exe

Executes dropped EXE 4 IoCs

Processes:

Chaos.exeprotect.exeassembler.exeoverwrite.exe

pid process

1620 Chaos.exe
1888 protect.exe
4916 assembler.exe
3868 overwrite.exe

Loads dropped DLL 20 IoCs

Processes:

Chaos.exe

pid	process
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe
1620	Chaos.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4280-0-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp	themida
behavioral1/memory/4280-2-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp	themida
behavioral1/memory/4280-3-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp	themida
behavioral1/memory/4280-73-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp	themida
behavioral1/memory/4280-88-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3696-1268-0x0000000000410000-0x000000000069E000-memory.dmp	upx
behavioral1/memory/3696-1448-0x0000000000410000-0x000000000069E000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Chaos.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chaos.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Chaos.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
143	raw.githubusercontent.com
144	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

overwrite.exe

description ioc process

File opened for modification \??\PhysicalDrive0 overwrite.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3696-1448-0x0000000000410000-0x000000000069E000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Chaos.exe

pid process

4280 Chaos.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4280	Chaos.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "122"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1132431369-515282257-1998160155-1000\{E1DF35A1-E47C-437F-BA19-DCFDB775DEAB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeprotect.exe

pid	process
1692	msedge.exe
1692	msedge.exe
3948	msedge.exe
3948	msedge.exe
3012	identity_helper.exe
3012	identity_helper.exe
4696	msedge.exe
4696	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
5028	msedge.exe
5028	msedge.exe
896	msedge.exe
896	msedge.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe
1888	protect.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Chaos.exe1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

description	pid	process
Token: SeDebugPrivilege	1620	Chaos.exe
Token: SeShutdownPrivilege	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 77393297408	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 9800394643205823838	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 51539607552	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 70371053915631	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 51539607552	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: SeCreateTokenPrivilege	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: SeCreateTokenPrivilege	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 4294967295	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 47244640256	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 16384	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 0	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 0	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 0	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 0	3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

msedge.exe

pid	process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exeprotect.exeLogonUI.exe

pid process

3696 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1888 protect.exe
3788 LogonUI.exe

pid	process
3696	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1888	protect.exe
3788	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Chaos.exeChaos.exemsedge.exe

description	pid	process	target process
PID 4280 wrote to memory of 1620	4280	Chaos.exe	Chaos.exe
PID 4280 wrote to memory of 1620	4280	Chaos.exe	Chaos.exe
PID 1620 wrote to memory of 4352	1620	Chaos.exe	cmd.exe
PID 1620 wrote to memory of 4352	1620	Chaos.exe	cmd.exe
PID 1620 wrote to memory of 4020	1620	Chaos.exe	cmd.exe
PID 1620 wrote to memory of 4020	1620	Chaos.exe	cmd.exe
PID 3948 wrote to memory of 1716	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1716	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 3592	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1692	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 1692	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe
PID 3948 wrote to memory of 760	3948	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Chaos.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\Chaos.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
3⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa912346f8,0x7ffa91234708,0x7ffa91234718
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
2⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
2⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4204 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
2⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
2⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
2⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1868 /prefetch:8
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5596 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,3268165863893869876,6874969220385851706,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Users\Admin\Desktop\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
"C:\Users\Admin\Desktop\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Users\Admin\87512693\protect.exe
"C:\Users\Admin\87512693\protect.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Users\Admin\87512693\assembler.exe
"C:\Users\Admin\87512693\assembler.exe" -f bin "C:\Users\Admin\87512693\boot.asm" -o "C:\Users\Admin\87512693\boot.bin"
2⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\87512693\overwrite.exe
"C:\Users\Admin\87512693\overwrite.exe" "C:\Users\Admin\87512693\boot.bin"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ee855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1563576cf468fd744c889dcb8cc5dfef

SHA1
521d13bc82b35c174d534ea058edfde2038316cd

SHA256
e935541d0b3d9037243144452c7f3ae843e91bd8077f7a894a679264e033d0db

SHA512
e8826a3c71e6e2defdde7cc201067122c9e7f4c42145ebf57e65c1aa01ca420726552de8b72989d1350082cf61a551ed83c85efe8d30769a0b4a6421bc5c55e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bf4d4a5a03d0b8f530855d589992550c

SHA1
ce8f77dfa28da9f59484416569493f7f08d13d5c

SHA256
4179623794d9f853edc3740c0a9ae2ce2d56d04b09de7c145298af5c439b796a

SHA512
dc96fb9ebbdb7cad8ddae46277602cbaf970644747e450d5060241d68813472bb6fb1feaa2285675b628ec33295e6246a7de68ce271de927ecd0e7bfe5fcb2fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0488ae21-f7fe-49fe-9979-d8c8cf21f107.tmp
Filesize
784B

MD5
b225cf35385b5e0c430f63fd96185206

SHA1
3c20e9dea0002d291132ae49b905fa168abf2e93

SHA256
bc13a83adcbb12597d7c5001d327fe6d71e0f6d2282fb1b8fdc8caaa5faa83a1

SHA512
f3e0b7a990b0d1cfef86db7597e329fb5eaabbcf01f65e16476002dbdd89a6ecc4b143fac620f5abcf0ee0ca70f15eb70c624203ad11107464ffc98c4c34d041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
36KB

MD5
373cd53c408180c939165335e627fdb1

SHA1
0e0978e79b93bc3df23d73c042f6b5f8c20ecdc6

SHA256
c884b19162a6f5a0cd8fff61c5ba35729a2bec074dee7f1b514f60a5abd77909

SHA512
906c2ab56861ab8a0fac560c3b508f69275eeacf294bc4afcc20c40fe1a0e8cbc16c7535b17ded0f3f8bbe4a336f2899139411708103a2f6c0d8bfe1be4d2a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
1.1MB

MD5
1f557ae943b3a1e823b56cf9d410e7c3

SHA1
1340fc7fa2cf9fade7bebcc8b4dc62a1686aad54

SHA256
40f47bca0281df7ada22465ba6c706a9ccf9580288915aad5d42c2949521a7bb

SHA512
32d8f83a30ed7179a74ebc7bdcd454d2f5895592f078910564c8bf40490d92c24a836f50b359345cdf4f0288f9a922b0185beeccbc4007205ba50f585de20169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
79844941dcc53d1929e6cc8400ac0ac2

SHA1
50dbd07758b040590c00a707c008d196bc9bab46

SHA256
737d82f398953e097d81075daa7d6083f7d3c4e437a85d32a1b04de8d9bdc003

SHA512
71531bfa651dd049130ba6d070c726f65170a4c3d7a91bfed9856b520b2bc4b49f78807fb4d28072ff9597317302f1119363cef753d4363b06169f969cb32ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
17ca9b83e2ecf8057c9a4c1454ea1425

SHA1
ebebe6dbc7a8ef5f92d91fcc88ae3899acba2765

SHA256
377a81ea274ba98e31ef607ea0ff629587868cd6d4b9f2f8df98728119ba7e96

SHA512
9b95dd1be941a12cd42cc81e2a3a32ae5679b69be9b6f038a10105f04c873995c05841d5cb1338bc06ef31fa9622b33465fce4285f0bf34d99928ac8655e7ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c4c044c4f43e8e84d58317a7e1a779b2

SHA1
2139c289c312ed9617db310705bee79a39d776dd

SHA256
8c79fded3be71c2ce3c2d957957028bc04ab8b7744db7291228997f3d392d8fb

SHA512
314bc08426f01dc5682e2477608db9fa88df4bebb33b27e0cae0becd0b28c615135f7078e722b2eb2e7903049797099cdd9e29f12a4c806fbebd83b269ddee45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
784B

MD5
04a20dcbca76ed80f15147deb2deccf1

SHA1
e565fa94bf6c56fdf722bb51a2f3f7ab10b2945b

SHA256
c5216ff99ec5731e72af8bc208642fbaf6eeaba1fa961c05b0bdd4b760ba5af7

SHA512
cd64e5218b22f1bcdbb0306b8ec13a4f35f964e26c8ddf57c32d2fcef357d0bff4ca930f69ae51f62de4f7b7692fd63de5c973500e7dda9415fd2c3d6300f04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
867B

MD5
aa2b683010bb0eafc6473b799a56c2d3

SHA1
b7ed86baad3cd5a046753f477b2906f610c5516a

SHA256
4fe2e718690d4010f546bf82b894573019dee28a1a4e244ba8e938296e536ff2

SHA512
1f42e3beb06b7948d8b0c6b5f241a623b285ed3e578a861cf90efb3f8762a85bf1f104c6623b4ccd6d0d14b1a817deb126ec36061130f0598561220c2f83bdb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0098745278a428c05b4028b8d6fc9c6b

SHA1
a18c9c0eab2354b24b56a138513145247c13c57e

SHA256
698ddbc8d45740cc72062494b45c863e1c30e2d954e5cff9682f8f8bdf96c4de

SHA512
f6b996190fa8be742bbccd92b6bf1e214c433bc58ff7ec23a42c8310d4405e6776427c9bef5916fbedb47ffcc8155ba865180e842dfef399172fd16c26a72b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d2211fc866e71ae507d076aba16db9a2

SHA1
4fd48eba9ccb2ff30cd23dca080783f2d1437543

SHA256
c80886dae8b2de825b3b6498d2934d271aea71b9605031e31afcff85b7b1fda2

SHA512
db1a206a57f0ea02e75a5ad93fa4220851f04853c05e1596091b869b0b7f4f467b0f6bc90d3ae7e17b5beb720a4985d04e2a7b716384e72fa4e58db4fd1ab674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a3e67ef0edc7ec8f2915687db82d4cf8

SHA1
62535c5fe4cbea1042bd918a90a41c5aafac7fae

SHA256
7a5ccd07d17afce2ceaf5d3af810b74da48775378934de20639b2a7612fb98cb

SHA512
88517349097af439d09e61df39723172be44dd63aaf99c53d5c1aefcdff9900c187ad939d6ee51fea41f77372a5c3a47e7e14f14822b4cf5cf093f78437e986b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a2ad8ec3793bc12ed962193f4794f9b7

SHA1
8238c7d3d8b56cd19164d38cc6e10e7643d15ae8

SHA256
47ada764420a8ea840ebcdfbbe9d725b630de18a66d34428a15d051d755a080b

SHA512
41937c4dc839b2c0375ef3b4b573d62aca414ee58b682a1d0e586143e55b9820fa1ad90513df54471e6dbf529b65981388e21f5e7895f448f1ec280b325bfa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4f8d941a2e07586500000aebccb4869c

SHA1
c225470af95e559e8fb2fe05063dfad0a01c9f0a

SHA256
798e73599a73fdcfedba179c0c092b7dd0eff5a732f8f255a0529bd826bd8d19

SHA512
ce66b69986f155bf804dd547970af85f66b707b0fa433ad4c6a6f442ce6477a3ef5fa9d682bfe333f7dc8acbd2ade66afa215de1b7e62bba308784d22b0bd80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
91b7e4ffdec16a2dfc373167001a950e

SHA1
c188c3414ab6e569f9465857c32209a793934dbb

SHA256
84659a06f2cc63c53ce9e130803536d36c64120f9576710928691b9aeb675049

SHA512
a50c4fe3c038469ef63bf91b04174a6eab7c058f8f8766ce552952a782df61d94f325946dc365d0e3d5f401e216d56edaf9eb77a1e7eab5b379d4fbbd113fbd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
41991117fbfe3a0af2a7f64f5e78cd66

SHA1
2f01a4552ef0f1cf01940ceab49e33dec4e01d6e

SHA256
262eb8c27468ee73c1868512630ff924985811079b1dc473e92e2f53c58a2e57

SHA512
751c4e70118cb59f214cf0b07d698bf444cb6b14be39e16d427c71dab601f0beeca21ca0da9521e4ddea4b5f21fc00fc92b535ba4c9c64868a16a9012ffb8821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
0f354c8a09d5294e792f991b6da29725

SHA1
d1098fb2340966173720249117ad571bf760a471

SHA256
176bf6bb73ea1f052aa526dd9ba5988d0c8ec215aa772c7825f566eac00569b0

SHA512
83c23a3f7db6b0884c3b663044ab42f46d067574907edc30837617e2f02d5aa4bd1a10702d3848f3d130e9e65a9ce0f442eda52034e393c5d85969694895a4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ab3b19b12b6f8c8f163758d78e1c24d4

SHA1
7ef8d30df94c738ef5792529b4aaa8b6b676244b

SHA256
8d556544403c56ce595677bfee939445655b5ed46487856291b10239ff049378

SHA512
291cc7186847ccc805edd34de3149e999e8224de3c7211dd8081967efd492c113ddc8bd063ce1b95bdaa47be5b8be1e9d3b69557d695f98aa2b668bfb1dc38d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5496d7811206d5454a5e86b21613954d

SHA1
4beb81e2a3abebb2a1116ad031d3e5216a347031

SHA256
dc8fa5f2b3ad16fcfe4c7c95a4d58ddc5d9079692fc6d16629f6b6375a3cac57

SHA512
a807b0dd6b77740cc17325ca4686401a9ff5391fb334a3145be46cf5c88d5c62fb0a3191f188970c7052a50096089eeea5b9f5eeb5c2b4ef948cf3e27a6a3b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
56311e099ce1ae1986c467079845fc44

SHA1
22e1e12e4f107e893f0e3b0778b80cb9b76a6915

SHA256
4de8cbabfe20889599fe5d076573d5ec2ad60b18d502d3df500489e0f5fce6ad

SHA512
17afa96faa5192766636e60041ea822b2bc5ce99313c97d4aa35f02d93cb95a7c622a442aa95cc2c6d03af9cdc49b9102db849f561a0829890bdc5c28161bbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e9f290297a8b266087cf98946c63e163

SHA1
734bee7047ccb5fa905e5bbad1b9e0c5d8c55f23

SHA256
d4c6746e81124ae9e8f1bbb3d2a3ef5b05cf27ed4c07ddbaba7650d8d4c6dd3f

SHA512
545eba1a660330ac3ece084b47b957387ba1162d6fe5fcf330192ac247c8737008bc92f4b6ce52274955587e92cbdb815cc347330b8be5f7ff7d93f150556e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
377f55599a196e3894e2b3bc95575248

SHA1
708c2039b7ffc9583e9d91c155a82b24cd582d12

SHA256
cc3690a159de48216116dc37a3700bde96dc70edba59c467399962d38c2503cf

SHA512
83c98ab050f3d99cad9024e01c95ad357d00bce7f50ba3439852fcb8c35c24eecee6aff26f980cd161f062f147619edd654686cb466120f085c16bceb5747040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d0a9d4b4fd198c538efd11801960ee99

SHA1
5e9ab790ba4a90db2250f5a4d5d271e2322ff1df

SHA256
473f9912acd56cee241140d4a8370611791d0f91683c590dbc410f3192e5b168

SHA512
ed3d3e48304621611ba94790663605018ca011f22ec12b83808a43b5e3077e08406a4485e85deb21224d0f4f56e132fa689e80d1a9a1cf8f013d16cc6ebdd45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fd793a36ae501f65c1e39067f4d1d367

SHA1
f0f2d74543a669418245a63a86efcb811e1c5ed6

SHA256
b9a9fa83145570cd9dc1c9c2a40204dc4e5d6c621acdb5a93006c809529606e6

SHA512
1e85b4c64e449597d271dbcae1cb04b00a93c3205161c7c8bd97aafa1614df1d56b3370f49b27358e3e7d7a6ad822505c2fd5d9d6a1f0d21d3c9be5dfcc844da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a0fea5bec3be8523455ffd606a2fe321

SHA1
7609b6358af08c87590b257d12fff54ebfc28a0b

SHA256
12b0e39e6661a42a02b370071d0f511f76c614c381a07e39d58254ab8ec71142

SHA512
4b55c06f72df90ac3a6df4380983561283e5aae5113f3cdf0a789bfa0ebc362dfcd52dd2b7dac7756fc6cfe73e7fc435f6478375d5e010ec1391d762c2b4a94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b101514c72e179a4e72d2c1a53aa2778

SHA1
6593443a2d7dc024310fcb7b4fb49e760d042bd5

SHA256
6a1833a49949640a7bb1a167b68c49d267cc48a5739446e57a87de75400cd17d

SHA512
3dd374e795e8f3edf974bc963ca77acac4fc94f3bc7c27b13095f07d3e1e79c27abce2ada8cab031650bf9b44caea844dadb0ce345a10ec7512f471148da4acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fb021e562179c13f176ef36fa28eb37d

SHA1
1e58c492090a1b58e14edde2f9d596515f793cec

SHA256
94f5a5339c1d95c3846d1777a9a06a2fc3eb01e54585067ee88e198241d13461

SHA512
3abdee0b23b645568ad9fb5803348661cad41307e55a253ebb15507804e02574cf613f0336f5a8c4dcc6881c85667204f2640661498df634679da73f303557e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9009955f0751323cc39f68b0bff789b6

SHA1
be817e39f3c505d637338f73925057c980a6cf7d

SHA256
d967d32a5cdd4a8dadd329e07282badbaee2cf800717d1acb6459c7c9cf809ed

SHA512
c5b245be285fa1969e13dfcf04f9080f9cd630085d07d743f0f5dce5f51c3e4f7572a2924af8a1ba950a3b94c7643e92fbb27ca0f7ef655f2d04ef0337523c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
92ee8917d9954a3952d9493aab37d75c

SHA1
4a15296efc5ee6a0154ddf2c645a94c2b3eb9597

SHA256
51971c87e5e828e9d3861ac2144a41321384bc79106d287e4fad615b27f150f1

SHA512
a179ea6872da18fe9ae17d4cd79989f2e12866a36bdc480c7e7712a94242c1b874d27be4959cc19199bad0a253aa31ea548a92b33a3bfeb8bfcf98e6010dc4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b882b35a95e2571e511ce3180eb0b821

SHA1
9940736a8859d5edf42ebf55dbc0010c2613e947

SHA256
727bee56c7608a02c24c32c1d7f58120f20e5f970382c227d3b9620ba97ab06e

SHA512
e23cd8808b059d23d5fbb514550588973f679ebec8464f07b986c713358498a520ecde8240f5fc66dc3d2e8d3dabf2f38d2b740f3c44f9987ba89b47d2cdcdaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d7bd.TMP
Filesize
538B

MD5
297e000bdb3f3fd4947230f20a7c7413

SHA1
013d4bb9a5d5c0b5e6b9724280f0ec0cd7875014

SHA256
31f55c1b9bd60bbbf543994647edb0e7c3bf3882fd52b3fb535215eb5a79db91

SHA512
b5a02cecd115745af42c53b1bd2c64027e95f25de7275051150fc54bf79ff82214d956a743c24d56d704e92c1fde7d62b78a9e29d383991fa9dfc18f1fbbc939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9ca85272a55236781889729e589d850d

SHA1
ccb33948fbd9dceeeb7861f6a3607e6e4a6b8cf5

SHA256
689327e96296c120785a7766a61cf9a9c1c7b32c3f9f30e78f2a0bc7e59229b9

SHA512
e3c4316f92f6d48884a552fc8ecf0864859c5700c77383fc0cb0b14d598e590ad8d2eb7a3bd1dbff19768a3b8d371eeeb6e4c9b5238b6ac715af7bd4e8ad2017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
722e525142c5c728288d085ae92a0fd6

SHA1
212fdcf185e098ac88990dd42e1571584c4b8b3e

SHA256
936edfee7c70c1e644f037a2bb63590417614a62a4d755255bf11d2e94e26eb1

SHA512
24a5afd7b8fba726066ae7167edae6be7c5ab3f79636a93f898230a186ee2691f0f3c0db0268b750b628f932bfbf295ac64f4aa745d2a0bb155eeb87809dc850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
21bca0ada1c0d1e95fac65f5d243c619

SHA1
bfecbd2fadfbcd845521219bc1127c94beba8be6

SHA256
8559823a7c5c5df6edc87be8964d384494de4f6cb29add4e7be9ef02e8e75b95

SHA512
dadda76dc5ccf92cd33a1de0b3dc9bb2f0de480477ec56fd0388089dc776f60f208ba016ead99009c8455dff8558a7c279a7e7a4eb05f69df875adb2e5a57629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
206de7e63b64df62a2f180fe46c3f1d2

SHA1
da92c32df8c0c7990b690675ece15a5072ce9b13

SHA256
a552994e672cff02cc38496957632fe72010e6e16d4f68d79a9e3db81c244fcd

SHA512
09816c093c4a65df0b2b84baea24bcff3df5b5056c487e3b66618db0af8fc5a34ce721a7abf4d3706fbb905d050dff168b6b16ae820566bf3cdf91ab19958ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a25183e8eedde1d5506c2bcc43feff6b

SHA1
3f0f2eedf36b14a0fd19bf09d778c49d05ebbd53

SHA256
8268b2e0552d6707af0216c9df8e1e5a7fc15479435982de8571f96184f9bb7d

SHA512
e3b85ba1635a8a714875d7c524791da2590f6aea3376cdb8bf5293603d3dd5b9fbd8f432d61396a6a89fa0080eb75196297aafa0a83e94d7d8434a701027fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
Filesize
285KB

MD5
d3e74c9d33719c8ab162baa4ae743b27

SHA1
ee32f2ccd4bc56ca68441a02bf33e32dc6205c2b

SHA256
7a347ca8fef6e29f82b6e4785355a6635c17fa755e0940f65f15aa8fc7bd7f92

SHA512
e0fb35d6901a6debbf48a0655e2aa1040700eb5166e732ae2617e89ef5e6869e8ddd5c7875fa83f31d447d4abc3db14bffd29600c9af725d9b03f03363469b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-8.dll
Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll
Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\psutil\_psutil_windows.pyd
Filesize
65KB

MD5
3cba71b6bc59c26518dc865241add80a

SHA1
7e9c609790b1de110328bbbcbb4cd09b7150e5bd

SHA256
e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996

SHA512
3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\Chaos.exe
Filesize
18.9MB

MD5
3e46741808811d8f1c8207e6e84bbdfa

SHA1
c866be7bdd05ee858562c2689c2c653040faf546

SHA256
a16b7f0b39f178f1bc66ad6a103265bd5f283b0484ae137f3de035b808e1c51d

SHA512
4b224768992170399b5e442c724460ac67d5f2758b2add7329b79b65be22e414361eb92e3ebe0dcb1b1dcd0e80547688eab67bf36e0779a663191c0189663a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\_hashlib.pyd
Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\_lzma.pyd
Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\_queue.pyd
Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\_socket.pyd
Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\charset_normalizer\md.pyd
Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\charset_normalizer\md__mypyc.pyd
Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\libcrypto-1_1.dll
Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\python3.dll
Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\python311.dll
Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\vcruntime140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4280_133580721668968517\zstandard\backend_c.pyd
Filesize
512KB

MD5
dc08f04c9e03452764b4e228fc38c60b

SHA1
317bcc3f9c81e2fc81c86d5a24c59269a77e3824

SHA256
b990efbda8a50c49cd7fde5894f3c8f3715cb850f8cc4c10bc03fd92e310260f

SHA512
fbc24dd36af658cece54be14c1118af5fda4e7c5b99d22f99690a1fd625cc0e8aa41fd9accd1c74bb4b03d494b6c3571b24f2ee423aaae9a5ad50adc583c52f7

Download Submit
C:\Users\Admin\Downloads\Ransomware.RedBoot.zip
Filesize
1.2MB

MD5
51250dabf7df7832640e4a680676cb46

SHA1
74ba41bb17af6e5638171f7a6d9d49e978d8d3b3

SHA256
7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

SHA512
43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a

Download Submit
\??\pipe\LOCAL\crashpad_3948_GFHMZWGGOMYDTNZF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1620-81-0x00007FF634FE0000-0x00007FF636310000-memory.dmp

Filesize
19.2MB

Download
memory/1620-80-0x00007FF634FE0000-0x00007FF636310000-memory.dmp

Filesize
19.2MB

Download
memory/1620-77-0x00007FF634FE0000-0x00007FF636310000-memory.dmp

Filesize
19.2MB

Download
memory/1620-74-0x00007FF634FE0000-0x00007FF636310000-memory.dmp

Filesize
19.2MB

Download
memory/3696-1268-0x0000000000410000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/3696-1448-0x0000000000410000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/3868-1297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-0-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp

Filesize
19.9MB

Download
memory/4280-1-0x00007FFAA0030000-0x00007FFAA0225000-memory.dmp

Filesize
2.0MB

Download
memory/4280-88-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp

Filesize
19.9MB

Download
memory/4280-3-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp

Filesize
19.9MB

Download
memory/4280-2-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp

Filesize
19.9MB

Download
memory/4280-89-0x00007FFAA0030000-0x00007FFAA0225000-memory.dmp

Filesize
2.0MB

Download
memory/4280-73-0x00007FF7CFBD0000-0x00007FF7D0FBB000-memory.dmp

Filesize
19.9MB

Download
memory/4280-78-0x00007FFAA0030000-0x00007FFAA0225000-memory.dmp

Filesize
2.0MB

Download
memory/4916-1295-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads